Information Technology

The average Conti ransomware group member earns a salary of $1,800 per month, a figure you might consider low considering the success of the criminal gang. On Wednesday, Secureworks published a set of findings based on the group’s internal chat logs, leaked earlier this month and poured over by cybersecurity researchers ever since. 

The internal messaging records were leaked online after Conti, tracked as Gold Ulrick by Secureworks, declared its public support for Russia’s invasion of Ukraine, an ongoing conflict.   Conti is a prolific ransomware group suspected to be of Russian origin that has claimed hundreds of victim organizations worldwide. The group will infiltrate a network — whether independently or through the purchase of initial access through underground forums — steal data, encrypt networks, and will then demand a ransom. Victims who refuse to pay up may find their information leaked online.  Conti’s average ransomware demand is roughly $750,000, but depending on the size and annual revenue of a victim, blackmail payments can be set far higher, sometimes reaching millions of dollars.  Check Point researchers have previously scoured the Conti chat logs and exposed a rather “mundane” operation, the type you’d expect a typical software development business to run. This included a business infrastructure offering office, hybrid, or remote work options, performance reviews, bonuses, and a hiring process for coders, testers, system administrators, and HR.  While new members are interviewed, not everyone is told they are applying to work with a criminal outfit, as some ’employee’ messages have revealed. However, they may be offered salaries far higher than the local average to stay when the truth comes out.  According to Secureworks’ analysis of the logs, containing 160,000 messages exchanged between almost 500 individuals between January 2020 and March 2022, there were 81 people involved in payroll, with an average salary of $1,800 per month.  Payroll message to group leader Stern (Russian translation)
Secureworks
While core operators likely take a far larger slice of the pie, it is estimated that the average Russian household brings in $540 per month — and so the ‘salary’ offered by cybercriminal groups could be a strong lure. Furthermore, with the value of the Ruble tumbling due to international sanctions, this may entice more to enter this market. In addition, Secureworks has found leaks between the “designated leader” of Conti, dubbed “Stern,” and other cybercriminal groups.  Stern is a figure described as someone who makes “key organizational decisions, distributes payroll, manages crises, and interacts with other threat groups.” The team suspects that they also hold a leadership position in Gold Ulrick (Trickbot/BazarLoader).  Secureworks also found connections to the cybercriminal groups Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID), although this may just be for communication and/or collaborative purposes.  “The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” the researchers say. “Members of groups previously believed to be distinct collaborated and frequently communicated with members of other threat groups. This interconnectivity shows these groups’ motivations and relationships. It highlights their resourcefulness and ability to leverage subject matter expertise within the groups.” On March 20, an unnamed researcher — believed to come from Ukraine — also published a recent version of the Conti ransomware source code. The package was uploaded to VirusTotal for the benefit of cybersecurity defense teams but may also be adapted for use by threat actors.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Okta has again updated its blog post related to the LAPSUS$ intrusion from January first revealed by the hacking gang on Tuesday. “After a thorough analysis of these claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly,” Okta CSO David Bradbury said. “If you are an Okta customer and were impacted, we have already reached out directly by email.” Earlier this month in its fourth-quarter results, the company said it had 15,000 customers, of which 2.5% is 375.The company said it would be conducting a pair of technical webinars on the event on Wednesday. See also: Okta: Lapsus$ attackers had access to support engineer’s laptop For its part, LAPSUS$ said it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients. “For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?” the group said. “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.”The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack. LAPSUS$ also added that many of its members were on holidays for the rest of the month. “We might be quiet for some times,” the group said.”Thanks for understand us — we will try to leak stuff ASAP.” Meanwhile at Redmond: Microsoft confirms LAPSUS$ hit account with limited access after gang released alleged Bing and Cortana sourceSpeaking to ZDNet last week, Cisco advisory CISO Helen Patton said CISOs were separating themselves operationally from breach reporting requirements. “So now we’ve got lawyers who are making a decision about whether something is material enough to require a report, which is not really the spirit of the regulation. But I’ve seen it in Australia, and I’m seeing it overseas as well,” she said. “This is a coping mechanism because the reporting requirements are sort of vague.” Patton said due to legal folk wanting to contain events as much as possible, they would start low and escalate the impact of events rather than starting high and walking back. “That puts the rest of the rest of us at risk, actually,” the advosry CISO said. “So the question is, what is the right level to go with? Do you oversell it or undersell it, in order to not only protect yourself, but protect the ecosystem that you’re working in?” “We are rewarded by underselling … in a lot of ways reputationally, legally, but from a risk perspective, we might want to actually oversell it because that gets more people on alert faster and hopefully gives you a faster response.” Patton said companies that issued multiple upwards revisions could appear as though they did not know what they were doing. “It’s not until you’ve had a certain amount of time to explore the incident, respond to the incident, learn from the incident that you really have good quality information,” she said. “But our regulators want us to tell them immediately when something looks funny. And there’s lots of things that look funny in our environments, because our environments they’re inherently odd. “They’re going to get a lot of really bad signals early on, and we’re going to have to work out how do you talk about that publicly when the information is really asymmetrical in terms of what you know, and what’s actually happening. It’s a problem.” Updated at 01:35pm AEDT, 23 March 2022: Added further information on LAPSUS$. Related Coverage More

Image: StackCommerce
Microsoft has confirmed the hacking gang LAPSUS$ was able to compromise an account with limited access, but that it has left the question of source code exfiltration hanging in the air. “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft said. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. “Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.” On Tuesday, LAPSUS$ posted a torrent file claiming to contain source code from Bing, Bing Maps, and Cortona. “Bing maps is 90% complete dump. Bing and Cortana around 45%,” the group said. Microsoft’s confirmation of the compromise was contained in a blog post, which listed the techniques of the group. “Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft said. “Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.” The group, named DEV-0537 by Microsoft, has been observed using vulnerabilities in Confluence, JIRA, and GitLab to elevate privileges, calling helpdesks to get passwords reset, stealing Active Directory databases, and making use of NordVPN to appear as though they are in similar geography to targets. “If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates Global Admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly-created account, and then removes all other Global Admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access,” Microsoft said. “After exfiltration, DEV-0537 often deletes the target’s systems and resources. We’ve observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organization’s incident and crisis response process.” The group has also used internal messaging services to understand how victims are reacting. “It is assessed this provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands,” Microsoft said. “Notably, DEV-0537 has been observed joining incident response bridges within targeted organizations responding to destructive actions. In some cases, DEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole.” In the past 24 hours, LAPSUS$ also claimed making a hit on Okta. In response, Okta said the group had access to a support engineer’s laptop over a five-day period. Retorting to Okta, the group said the compromised device was a thin client, and it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients. “For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?” the group said. “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.” The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack. Related Coverage More

It’s one thing for tech companies to urge users to enable multi- or two-factor authentication, but now the White House is urging all US organizations to do it because of potential cyberattacks ahead. Two-factor or multi-factor authentication (MFA) was a concept that needed to be explained carefully to the public a few years ago. It’s an approach to cybersecurity that requires users to sign in to an account with something they physically posses, such as a phone. 

ZDNet Recommends

Most companies don’t use it, even when it’s readily available, according to previously reported data from Microsoft, because they prioritize easy access to information over security.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)But with the Russian invasion of Ukraine happening now, the US government has now told all organizations that MFA is a must. “Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system,” the White House has warned. The message comes as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ramp up warnings about Russian hacking of everything from online accounts to satellite broadband networks. CISA’s current campaign is called Shields Up, which urges all organizations to patch immediately and secure network boundaries.  President Biden said the warnings around improving tech security were “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.”CISA has led most of the US’s efforts and has the authority to require critical infrastructure owners and operators to report ransomware and other incidents within 24 hours. The White House, however, has now urged all organizations, even those that are not considered critical infrastructure, to beef up their defenses.    “We accelerated our work in November of last year as Russian President Vladimir Putin escalated his aggression ahead of his further invasion of Ukraine,” the White House said in a statement. “The US government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign.”SEE: How Russia’s invasion of Ukraine threatens the IT industryIt’s rare for the leader of any country to urge everyone to step up cybersecurity defenses. Biden has used executive orders to compel federal agencies to patch software, but the new message urges the private sector to do the same.Beyond the use of multi-factor authentication, the White House also urged companies to take seven other steps:Deploy modern security tools on your computers and devices to continuously look for and mitigate threatsMake sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actorsBack up your data and ensure you have offline backups beyond the reach of malicious actorsRun exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attackEncrypt your data so it cannot be used if it is stolenEducate your employees to common tactics that attackers will use over email or through websitesWork with FBI and CISA to establish relationships in advance of any cyber incidents More

Researchers predict that a surge in social engineering attacks will dominate web3 and the metaverse. 

Web3 is the term coined for what could become the next face of the internet. The web has shifted from pages containing content to the growth of social media, and now, the concept of a decentralized internet is being discussed under the Web3 banner. Part of this transformation could include the ‘metaverse’ — a 3D environment and virtual world for facilitating social connections, whether personal or for work. Your ID in the metaverse may also end up linked to cryptocurrency wallets, Non Fungible Tokens (NFTs), and various smart contracts.  As technology vendors work on these concepts, cybersecurity researchers from Cisco Talos have offered their perspective on the potential threats Web3, and the metaverse will face.  The recent phishing wave experienced by OpenSea users, in which victims were duped into signing off on malicious contract transactions and handing over their NFTs, may highlight the forms of attack we may see more commonly in the future.  The first issue discussed by the team is the use of the Ethereum Name Service (ENS) and potentially upcoming similar services that are used to compact wallet addresses into a format that can be remembered easily.  As some of us speculate on the potential future value of ENS domains and register them — such as ‘businessname.eth’ — these addresses could be used as leverage in phishing attacks, especially as ENS domains are recorded on the blockchain and cannot be removed through trademark disputes easily.  “It may come as no surprise that ENS domains such as cisco.eth, wellsfargo.eth, foxnews.eth and so on are not actually owned by the respective companies who possess these trademarks, but rather they are owned by third parties who registered these names early on with unknown intentions,” Talos says. “The risk here is obvious.” In addition, those that register an ENS domain may use their names, deanonymizing an address and signaling to others what funds an individual has in their cryptocurrency wallet, potentially increasing their risk of being selectively targeted by a threat actor.  A brief search by Cisco Talos on .ENS domain holders who publicized their address revealed a number of ‘whales’ holding vast amounts of cryptocurrency and some rather lucrative NFTs. A number of holders also reveal their home towns, full names, and social media profiles — giving attackers a broader picture of individuals to target in social engineering attacks.  “For many, identifying their real-world identities and physical locations starting from the ENS domain and Twitter account was almost trivial,” the researchers say.  As Web3 will be a new concept that users will need time to learn about, a general lack of education may also make individuals more susceptible to scams and fraud.  “Unfamiliar technology can often lead users into making bad decisions,” Cisco Talos says. “Web3 is no exception. The vast majority of security incidents affecting Web3 users stem from social engineering attacks.” In addition, wallet cloning — already a threat in practice — may become a more popular attack method in the future. This requires victims to give up their seed phrase, the secret key used to retrieve lost wallets and may be requested through social engineering, acting as customer support, or by tricking wallet holders in fake verification processes. 
Cisco Talos
While Web3 is still in development, it is worth taking the time to familiarise yourself with this technology — especially if you plan to explore the decentralized world in the future. Cisco Talos also recommends implementing basic security measures, password managers, multi-factor authentication (MFA), and most importantly, remembering that you should never hand over your seed phrases.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has removed an app with over 1000,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users.Researchers at French mobile security firm Pradeo said the app embeds Android trojan malware known as “Facestealer” because it dupes victims into typing in their Facebook credentials to a web page that transmits the credentials to the attacker’s server, which happens to be a domain that was registered in Russia. If a user adds their credentials, the makers of the Android app then have full access to victims’ Facebook accounts, including any linked payment information, such as credit card details, as well as users’ conversations and searches, according to Pradeo. 

Innovation

“It mimics the behaviors of popular legitimate photo editing applications. In fact, it has been injected with a small piece of code that easily slips under the radar of store’s safeguards,” Pradeo says in a blogpost. SEE: Best cheap 5G phone 2022: No need to pay flagship prices for quality devicesThe app ‘Craftsart Cartoon Photo Tools’ was billed as a tool that lets people “turn stunning looks from real cameras into paintings and cartoons” using advanced artificial intelligence and machine learning.  However, Android users themselves appear to have detected problems with the app, validating the idea that users should always read reviews before installing an app. “Totally fake. The way it was advertising seems like useful. Then find out just a few filter effects for any photo,” wrote one user in March. “No cartoonization anywhere. Don’t download,” wrote another. After users open the bogus photo-editing app, it opens a Facebook login page that requires the users to sign-in before they can use the app. The credentials are then transmitted to the app owner’s server. Google encourages Android users to only install apps from its app store. However, research has shown that malicious apps can make their way into the Google Play store. Google confirmed to ZDNet that the app has been removed from the Play Store and the developer banned.Pradeo in December raised an alarm about Joker malware being distributed on the Play Store that had been installed by over 500,000 users. That malicious app attempted to defraud users through premium mobile services and unwanted ads.  More

Okta says that a rapid investigation into the sharing of screenshots appearing to show a data breach relates to a “contained” security incident that took place earlier this year.  Okta, an enterprise identity and access management firm, launched an inquiry after the LAPSUS$ hacking group posted screenshots on Telegram that the hackers claimed were taken after obtaining access to “Okta.com Superuser/Admin and various other systems.”
Screenshot via Telegram
The images were shared over Telegram and various social media networks this week. 

“For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor[…],” LAPSUS$ said. “Before people start asking, we did not access/steal any databases from Okta — our focus was only on Okta customers.”In an emailed statement on Tuesday, Okta said the screenshots shared online “appear to be connected to a security event in late January.” Okta said: “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event.” “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta added.  In a tweet, Cloudflare CEO Matthew Prince added to the discussion, commenting: “We are aware that Okta may have been compromised. There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.” Lapsus$ is a hacking group that has quickly raised itself through the ranks by allegedly breaking into the systems of high-profile companies, one after the other, in order to steal information and threaten to leak it online unless blackmail payments are made. Recent breaches connected to the group include those experienced by Samsung, Nvidia, and Ubisoft.  On Sunday, a screenshot was shared that suggested an alleged Microsoft breach may have taken place, potentially via an Azure DevOps account, although the post has since been deleted. Microsoft is investigating. Based in San Francisco, Okta is a publicly-traded company with thousands of customers, including numerous technology vendors. The company accounts for FedEx, Moody’s, T-Mobile, JetBlue, and ITV among its clients.  “Lapsus$ is known for extortion, threatening the release of sensitive information, if demands by its victims are not made,” commented Ekram Ahmed, spokesperson at Check Point. “The group has boasted breaking into Nvidia, Samsung, Ubisoft and others. How the group managed to breach these targets has never fully been clear to the public. If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string [of] successes.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Most organisations in Asia-Pacific realise their employees need training in digital skills, but few have put in place plans to do so. With cloud and cybersecurity amongst the top digital skills in demand, employers run the risk of missing out on key business benefits if the skills gaps remain unplugged.Specifically, the ability to use cloud-based tools such as accounting and CRM (customer relationship management) software-as-a-service (SaaS) applications emerged as the top-most needed digital skill by 2025, according to a study commissioned by Amazon Web Services (AWS). This was followed by cybersecurity skills, including the ability to develop or deploy protocols as well as techniques to maintain the security of their organisation’s digital systems and data. Conducted last August by consultancy AlphaBeta, the online survey polled 2,166 employers and 7,193 workers across seven Asia-Pacific markets: Singapore, Australia, India, Indonesia, Japan, New Zealand, and South Korea. Employers comprised business and IT managers from organisations in private and public sectors, while workers included tech and non-tech full-time employees who used digital skills in their jobs.

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

The study further revealed that technical support, digital marketing skills, and the ability to manage migration from on-premises to the cloud were amongst the top five most in-demand digital skills. Others that were in demand by 2025 included artificial intelligence and machine learning, cloud architecture design, Internet of Things (IoT) skills, and software development. The desire for digital skills also was felt by employees, especially as the global pandemic fuelled digital transformation across many enterprises.Some 88% of workers said they now needed more digital skills to keep up with changes in their job, with 86% noting that COVID-19 had accelerated the pace of digital adoption in their organisation. In particular, 64% of employees said they needed training in cloud-related skills by 2025, Emmanuel Pillai, AWS’ Asean head of education and training, said in a video interview with ZDNet. Some 54% of workers said they needed to learn how to maintain safe and secure digital systems, while 33% needed to learn how to migrate on-premises facilities to the cloud. Another 27% believed they needed skillsets in cloud architecture design to progress in their careers. However, while 97% of companies recognised the need to train their workers on digital skills, just 29% actually had implemented a plan to do so, Pillai noted. In fact, two-thirds of workers revealed they were not confident they were gaining digital skillsets fast enough to meet their future career requirements. The lack of confidence was most apparent, at 83%, amongst employees aged 55 and above, while 75% of those aged between 40 and 55 felt likewise as did 60% of workers aged 40 and below.Across the board, 93% of organisations and employees faced barriers in accessing digital skills they needed to remain competitive, with time and awareness cited as the top challenges. Some 72% pointed to limited awareness of available training courses as a barrier, while 66% noted limited awareness of the digital skills needed. Another 65% pointed to high training costs as a challenge. Amongst employees, 71% cited the lack of time to pursue training as a barrier, while 64% noted the lack of quality training. Businesses should look at long-term benefits of skills investment Organisations in this region, though, should look at the long-term benefits of digital skills training, rather than perceiving this to be an added cost, noted Genevieve Lim, Asia-Pacific director at AlphaBeta, which is part of Access Partnership.She told ZDNet that amongst organisations that did invest in digital skills training, 88% saw higher staff productivity. Another 83% reported higher employee retention, while 82% clocked increased revenue.With 80% of employees noting that the ability to learn new digital skills led to greater job satisfaction, Lim said such findings could offer insights on how companies could retain talent amidst the global mass resignation phenomenon. If left unaddressed, the gaps in cloud skills also meant organisations would miss out on benefits such technologies brought to the table, she said. For instance, they would take a longer time to innovate if they lacked the talent to help them develop and go-to-market with new products. In addition, they would not gain the cost efficiencies and productivity improvements that digital and cloud technologies were touted to deliver, Lim said. The study estimated that 86 million more employees across the seven Asia-Pacific markets would have to undergo digital skills training over the next year to keep up with technological change. This figure accounted for 14% of the total workforce in those regional markets. With Asia-Pacific enterprises in different stages of their cloud adoption journey, from migration to operating in a cloud-native environment, Pillai said AWS looked to support them across all phases with more than 250 managed cloud services. He added that the cloud vendor not only offered security-specific training and certifications, but also ensured security was “baked” into all its training programs. Pointing to the shared responsibility to safeguard cloud systems and data, he underscored the need for enterprises to understand how to secure and build secured applications. Doing so would further reduce the need to plug gaps later, he noted. He said an AWS customer was able to reduce its time-to-market by 15% to 25% because its engineers were trained to develop applications with a security-by-design mindset. This meant they did not have to spend as much time debugging and fixing bugs, allowing their company to push out the applications faster, Pillai said.RELATED COVERAGE More