Information Technology

Microsoft has disabled a Windows App Installer feature after its December Patch Tuesday disclosure that it was being actively exploited to install unwanted apps.   The flaw was bad news for Windows domains, with Microsoft confirming that attackers were using this vulnerability to install specially crafted packages and spread the Emotet/Trickbot/Bazaloader malware families. The Windows AppX Installer is a Windows 10 feature that allows users to install .appx packages. In a blogpost explaining why it’s switched off the ms-appinstaller protocol for the MSIX Windows app package format, Microsoft says that an attacker can use that protocol to “spoof App Installer to install a package that the user did not intend to install”. For now, it appears Microsoft hasn’t fully addressed the vulnerability detailed in its December advisory for CVE-2021-43890. With  protocol disabled, admins could see the download size for some app packages grow, and create a block for for enterprises that distribute apps directly from a web page versus, say, the Microsoft Store. “We are actively working to address this vulnerability,” Microsoft says in a blogpost. “For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.”As Microsoft explains, MSIX brings a “modern packaging experience” to legacy Windows apps. “The MSIX package format preserves the functionality of existing app packages and/or install files in addition to enabling new, modern packaging and deployment features to Win32, WPF, and Windows Forms apps,” Microsoft notes. 

Microsoft has also updated its page for installing Windows 10 apps from a web page to reflect ms-appinstaller being disabled.Microsoft has a few workarounds in mind until it is able to re-enable the protocol, including “looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.” But it notes: “We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner.”  More

The cost and risk of executing ransomware attacks is going up, making it harder for cyber criminals to carry them out, which could lead to a decline in the number of overall ransomware attacks. But that could mean some ransomware victims end up paying a heavier price.Ransomware is still running rampant, with several major incidents in the last week alone, but according to analysis by cybersecurity company Coveware, there are signs that recent changes could reduce the total number of ransomware attacks. But while the number of attacks could fall, there’s the possibility that the ransom demands made by successful ransomware groups could rise. The Biden administration’s executive orders across US government agencies, the Colonial Pipeline bringing ransomware to the forefront of CEO’s minds and moves by cyber insurance providers to require improved cybersecurity protocols before a policy is taken out or renewed are all developments that are likely to have improved cybersecurity of enterprises, making them more robust against attacks. SEE: A winning strategy for cybersecurity (ZDNet special report)But it’s the rise in arrests relating to involvement in ransomware attacks which is cited as the biggest change to the ransomware landscape, with the arrest of several suspected REvil ransomware affiliates in Russia described as the most notable. According to analysis by Coveware, this move has increased the risk profile of being involved with ransomware attacks, and thus decreases the pool of cyber criminals, because some will decide the potential for being arrested and extradited isn’t worth the risk – to the extent that some are quitting.  

“The cost and risk of executing ransomware attacks are up, and if this trend continues, we expect to see the aggregate volume of attacks begin to decrease,” said researchers. However, while a decrease in the number of attacks would be a positive overall, it could potentially come with an unwelcome side effect – the cost of ransom demands going up, particularly for less high-profile victims. SEE: Ransomware: Is the party almost over for the cyber crooks? According to Coveware, the average ransom payment during the final three months of 2021 was $322,168, more than double the figure of the previous quarter. This rise comes following what researchers describe as a “tactical shift” towards targeting companies which are large enough to pay significant ransom amounts but are small enough that the attackers don’t have to spend a lot of time and effort on preparing and launching the attack.Researchers warn that this shift in tactics is likely to continue, citing an interview with a LockBit ransomware affiliate as detailing the mindset behind the change.  “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies,” they said. MORE ON CYBERSECURITY More

The Federal Bureau of Investigations (FBI) has published a fresh warning about LockBit 2.0. recommending that companies enable multi-factor authentication (MFA) and use strong, unique passwords for all admin and high-value accounts to thwart the strain of ransomware that is used by one of the busiest attack groups on the internet today.MFA is vital to protecting against compromised user and admin passwords, but Microsoft has found that 78% of organizations using Azure Active Directory don’t enable MFA.  

ZDNet Recommends

LockBit 2.0 targets Windows PCs and now Linux servers too via bugs in VMWare’s ESXi virtual machines, and has hit tech consulting and services giant Accenture and France’s Ministry of Justice among others.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)LockBit’s operators use any method available to compromise a network, as long as it works. These include, but are not limited to, buying access to an already compromised network from “access brokers”, exploiting unpatched software bugs, and even paying for insider access, as well as using exploits for previously unknown zero-day flaws, according to the FBI’s report. The group’s techniques continue to evolve. The FBI says LockBit’s operators have started advertising for insiders at a target company to help them establish initial access into the network. Insiders were promised a cut of the proceeds from a successful attack. A month earlier it began automatically encrypting devices across Windows domains by abusing group policies in Active Directory.   After compromising a network, LockBit uses penetration-testing tools like Mimikatz to escalate privileges and use multiple tools to exfiltrate data (to threaten victims with a leak if they don’t pay) before encrypting files. LockBit always leaves a ransom note with instructions for how to obtain the decryption key.   

Like other Russia-based ransomware operations, LockBit 2.0 determines the system and user language settings and excludes an organisation from attack if the languages are one of 13 Eastern European languages. The FBI lists the language codes in LockBit 2.0 as at February 2022 – such as 2092 for Azeri/Cyrillic and 1067 for Armenian – that cause it not to activate. “If an Eastern European language is detected, the program exits without infection,” the FBI notes. Lockbit 2.0 identifies and collects an infected device’s hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.It then attempts to encrypt data saved to any local or remote device but skips files associated with core system functions, according to the FBI. After this, it deletes itself from the disk and creates persistence at startup.  Besides requiring strong, unique passwords and MFA for webmail, VPNs and accounts for critical systems, the FBI also recommends a series of mitigations, including keeping operating systems and software up to date and removing unnecessary access to administrative shares. It also recommends using a host-based firewall and enabling “protected files” in Windows, referring to Microsoft’s controlled folder access.   It also recommends that companies segment their networks, investigate any abnormal activity, implement time-based access for accounts set at the admin level and higher, disable command-line and scripting activities and permissions, and – of course maintain – offline backups of data. More

Microsoft has detailed recent hacking activity of cyber actors, most likely aligned with the Russian Federal Security Service (FSB), who have targeted Ukraine government, security agencies and aid organizations. Microsoft says the hacking group, which it calls Actinium, has “targeted or compromised accounts” at Ukraine emergency response organizations since October. Actinium hackers also targeted organizations that would coordinate international and humanitarian aid to Ukraine, it says in a new report. 

ZDNet Recommends

“Since October 2021, Actinium has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis,” Microsoft said.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The Security Service of Ukraine (SSU), which heads up Ukraine’s counter-intelligence efforts, calls the group Armageddon. SSU has traced the group’s earliest activity to at least 2014 and says it focuses on intelligence gathering in Crimea, largely through phishing and malware. Armageddon is known for crude but brazen cyberattacks aimed at gathering intel from Ukraine security, defense and law enforcement agencies. Microsoft prioritized its report on Actinium’s recent activity as concerns mount over Russia’s apparent preparations to invade Ukraine. 

While perhaps not that sophisticated or stealthy, the group’s tactics are constantly evolving and do prioritize anti-malware evasion, according to Microsoft. It uses a range of targeted “spear-phishing” emails that employ remote document templates and remote macro scripts to infect only selected targets while minimizing the chance of detection through attachment scanning anti-malware systems. “Delivery using remote template injection ensures that malicious content is only loaded when required (for example, when the user opens the document),” says Microsoft’s Threat Intelligence Center (MSTIC). “This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content. Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.”The group also employs ‘web bugs’ that allow the sender to track when a message has been opened and rendered. Lure documents include ones impersonating the World Health Organization containing updates about COVID-19. The phishing attachments contain a payload that executes secondary payloads on a compromised device. It uses a range of ‘staging’ scripts such as heavily obfuscated VBScripts, obfuscated PowerShell commands, self-extracting archives, and LNK files, backed up by curiously named scheduled tasks in scripts to maintain persistence. Over a month period, Microsoft saw Actinium using over 25 unique domains and over 80 unique IP addresses to support payload staging and its command and control (C2) infrastructure, indicating they often modify their infrastructure to frustrate investigations. Most of its DNS records for the domains also change once a day, with the domains registered through the legitimate company registrar REG.RU.Microsoft confirmed it has observed the group using Pterodo malware to gain interactive access to target networks. In some cases, it also used the legitimate UltraVNC program for interactive connections to a target. Actinium’s other key piece of malware is QuietSieve, used for exfiltration of data from the compromised host, and to receive and execute a remote payload from the operator. Microsoft notes that Actinium rapidly develops a range of payloads with lightweight capabilities via obfuscated scripts that are used to deploy more advanced malware at a later stage. Agile development of these scripts, which Microsoft describes as “fast-moving targets with a high degree of variance”, help evade antivirus detection. Examples of these downloaders include DinoTrain, DilongTrash, Obfuberry, PowerPunch, DessertDown, and Obfumerry.US, European and UK cybersecurity officials urged all organizations to shore up defenses following Microsoft’s warning in January that it had discovered destructive wiper malware on several Ukraine systems. More

Apple AirTags are great. Attach one to an item you want to keep track of, and that’s then one less thing to worry about.I love AirTags. But they can be abused. Or, more specifically, they can be used to abuse people. 

AirTags are small and can easily be tucked into a bag, coat pocket, or car by people with bad intentions. And Apple knows this.Apple has taken a few steps to keep users safe. iPhones running the latest iOS software will warn users if a tag that’s not registered to them is traveling with them. Tags will occasionally emit a weak beep. There’s an app that Android users can download to scan for errant tags that they might have “acquired” from others (this app is far from being great, however, in my experience).But now there’s another threat facing people: third-party modified AirTags. And no, I won’t be providing links.

I’ve come across a range of ways AirTags have been modified, from the speaker being disabled to AirTags being dismantled and put into different cases. Some of the modified AirTags look deceptively like regular AirTags, while others look nothing like them.Also: How tech is a weapon in modern domestic abuse — and how to protect yourselfFirst off, let me say that I don’t believe that modifying an AirTag is wrong, and I can see reasons why people might want an AirTag in a different shape or with the speaker disabled.But these create an increased risk of surreptitious tracking for people.AirTags that don’t beep — and let’s be honest that the beep from an AirTag is pretty weak at best — will go unnoticed by Android users not actively scanning for them. Without the beep, it might be challenging for even iPhone users to find.I believe that Apple needs to do more to protect users. Here are some steps the company could take:Make AirTags harder to modify, perhaps by filling them with epoxy or building them with tamper-proofing in mind.Work with Google to bring comprehensive tag tracking to both iOS and Android (much like both companies worked together to build a COVID framework for contact tracing).Introduce a way for users to report tags that might be being misused. How do you prevent this feature from being misused? That will require some thought.Bottom line, Apple and the rest of Big Tech need to do better. How simple it is to plant an AirTag on someone, how difficult they can be to find, how poor the Android app is, and how easy they are to modify are just the beginning of things that need to be addressed.Also: I just found my lost AirTag. You’ll never guess where it wentWhat should you do if you find a tag tracking you? My advice would be to remove the battery and decide whether you’re going to go to the police or not. With the battery out, the tag is harmless; it gives you some time to think about what you want to do next.And if you’re someone planning to use an AirTag or similar device to track someone, be aware that you could be breaking any number of laws.  More

Image: Getty Images
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is looking to formalise the relationship between government and the nation’s telco providers as it says reliance on the current voluntary processes is insufficient. As it currently stands, under the Telecommunications Sector Security Reforms (TSSR), carriers need to “do their best” to protect their networks from unauthorised access or interference for the purpose of security, with carriers to notify the government of any changes to their services, systems, or equipment that could have a “material adverse effect” on their ability to comply with this duty. Although the committee said in its report that the highly regulated telcos are in a better position to handle security obligations from the critical infrastructure framework, formalisation was needed.”The regulatory concept of providers ‘doing their best’ to secure their networks in the national interest has served the Telco Act and the TSSR up until now, but the committee can not be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telco Act as a whole can continue to uphold the security requirements for the industry,” the report said. The main result of the TSSR thus far has been the banning of Huawei from 5G deployments in Australia, which the committee said showed the government was able to step in when needed but only occurred when a threat was “overwhelmingly evident”. “In considering the evidence provided, the committee formed the view that, in many instances, the onus was on industry to carry the burden of information sharing and communication with government — in part due to the TSSR regime’s inherent reliance on voluntary engagement. While there are certainly circumstances of these arrangements being adequate, it is the committee’s view that it is insufficient to rely on voluntary practices, and dialogue, notifications, threat and information sharing between industry and government should be formalised,” it said. To boost these efforts, the PJCIS has recommended the Department of Infrastructure, Transport, Regional Development and Communications work with the Cyber and Infrastructure Security Centre within Home Affairs to determine “industry best practice risk identification, management, and mitigation”.

In an attempt to prevent telcos from having different interpretations of when notifications are needed — as demonstrated by Optus making up over half of all notifications — the committee wants a telecommunications security working group created that consists of representatives from the Communications department, Home Affairs, the telcos, Australian Security Intelligence Organisation, and  Australian Signals Directorate. “This working group could set agreed standards and best practice principles to inform the work of the Cyber and Infrastructure Security Centre’s advice and resources,” the committee said. “The Committee recommends that the working group … be tasked with scoping agreed carrier licence conditions, service provider rules, and codes and standards for security of networks and systems. “These can then be used to guide the resources to be produced by that group and inform directions or information gathering powers exercisable by the Minister for Home Affairs under the existing provisions of Part 14 of the Telecommunications Act 1997.” The working group would also be consulted on any duplicate obligations that arise from the interaction of TSSR and the amended Security of Critical Infrastructure Act 2018 (SOCI Act) prior to any activation of obligations. “If agreed, and once activated, the duplicated obligations or other mechanisms in Part 14 of the Telecommunications Act 1997 should be repealed, or deactivated by relevant mechanisms, so as to avoid regulatory duplication on telecommunications entities,” the report said. In its report, the committee said, as it conducted its review, it became clear its review had “significant crossovers” with the critical infrastructure review that was simultaneously taking place. “Calls for repeal of the TSSR or deactivation of duplicated obligations are reasonable from those affected, but the committee does not want to recommend repeal of any mechanisms that are in place and working to secure telecommunications in Australia. The importance of the sector to the nation is too strong to act in such a way without full consideration,” it said. “The committee trusts the assertions from government that any potential SOCI obligations will only be ‘switched on’ if the existing TSSR obligations are assessed as being unsuitable. However, the committee believes that this decision should be made in consultation with the potentially affected entities and is recommending that that occur through the working group.” Additionally, the committee recommended the Telco Act be amended to state that security is an object of the Act, and a “dedicated telecommunications security threat sharing forum” be created to allow ASIO and ASD to brief the telcos on threats to “the maximum classified level possible”. Although Huawei filed a submission to the review claiming Australia was isolating itself from “world’s best technology and innovation”, the Chinese tech giant declined an invitation to appear before the committee. Related Coverage More

The US Federal Communications Commission (FCC) said on Friday it has seen a “robust” response to its Secure and Trusted Communications Networks Reimbursement Program. Under the program, carriers that have under 10 million customers as well as some schools, libraries, and healthcare providers are able to access funds to rip out and replace network equipment and services from Huawei and ZTE, if they provide broadband services. For the purpose of the program, equipment would need to be capable of speeds above 200kbps in either direction. The fund was established with a pot of $1.9 billion, but the FCC has received requests amounting to $5.6 billion.”We’ve received over 181 applications from carriers who have developed plans to remove and replace equipment in their networks that pose a national security threat,” FCC chair Jessica Rosenworcel told Congress. “While we have more work to do to review these applications, I look forward to working with Congress to ensure that there is enough funding available for this program to advance Congress’s security goals and ensure that the US will continue to lead the way on 5G security.” Previously, the FCC said in those cases regarding older networks, replacing like-for-like may not be possible, and instances such as ripping out an older mobile network to be replaced by LTE or 5G-ready equipment would be allowed. Those receiving the funds will not be able to replace microwave backhaul or fixed wireless links with fibre links, however. Additionally, applicants would be able to claim vendor travel expenses and salary costs of internal employees dedicated purely to the replacement program.

The fund was first proposed in 2019, with the FCC officially designating Huawei and ZTE as national security threats in July 2020. Last month, the FCC removed the ability for China Unicom to operate in the US for national security reasons. “[China Unicom] is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the commission said. Related Coverage More

Blockchain infrastructure company Meter said $4.4 million was stolen during a cyberattack on the platform that started at around 9 am ET on Saturday morning.The company said it manages an infrastructure that allows smart contracts to scale and travel through heterogeneous blockchain networks. The Meter network as well as the Moonriver network were affected by the hack. Blockchain research company PeckShield confirmed that 1391 ETH and 2.74 BTC were stolen during the incident. 

Around 2 pm ET on Saturday, the company said it was hacked and urged users not to trade unbacked meterBNB circulating on Moonriver. “We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience. However the contract did not block direct interaction of the wrapped ERC20 tokens for the native gas token and did not properly transfer and verify the correct number of WETH transferred from the callers’ address. We are working on compensating funds to all affected users,” the company explained. By 6 pm, Meter wrote that it stopped all bridge transactions and discovered that the issue related to a bug “introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team.”According to Meter, its extended code “had a wrong trust assumption” that let the hacker fake BNB and ETH transfers by “calling the underlying ERC20 deposit function.” 

They are working with authorities and said they found “some early traces of the hacker,” urging the culprit to return the stolen money. Compensation plans are allegedly being created for the users who held WETH and BNB as well as the “liquidity providers.” “We urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team. Please try avoid trading in these pairs as well,” the company explained. 

We are working on taking a snapshot from before the attack & will convert the original BNB & WETH to 1:1 their values in MTRG, the rest inflated BNB & WETH will be converted based on the hacker stolen value from the LP pools.We’ve set aside $4.4M of MTRG based on today’s price.— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022

On Wednesday, $324 million was stolen through popular decentralized cross-chain message passing protocol Wormhole. Researchers found evidence of an 80,000 ETH transfer from Wormhole as well as another 40,000 of ETH being sold by the hacker on Solana. They have offered $10 million to the hacker for the return of the funds and offered the same amount to anyone who can provide information “leading to the arrest and conviction of those responsible for the hack.”Just five days before the Wormhole incident, DeFi protocol Qubit Finance took to Twitter to beg hackers to return more than $80 million that was stolen from them. The recent hacks continue a run of attacks on DeFi and blockchain platforms that have occurred over the last year. Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021. Poly Network saw $611 million stolen from their platform in August while Bitmart lost $196 million in early December. More