Information Technology

Victims of online scams should not assume they will be able to recover their losses, warns Singapore’s financial services regulator, while urging the need for shared responsibility. The country is preparing to release a framework detailing how losses from online scams will be shared.  The Monetary Authority of Singapore (MAS) said it would publish the framework for public consultation within the next three months, adding that it would encompass responsibilities of other key parties in the ecosystem.  The industry regulator said in a statement Friday that the framework would operate on the basis that all parties had responsibilities to be vigilant and take precautions against scams.  Financial institutions must safeguard their customers, such as through implementing “robust controls” to protect customer accounts and “effective measures” to detect and respond to suspicious transactions. 

“Customers have the responsibility to take necessary precautions, especially by never giving away personal or banking credentials to anyone, never clicking on links in SMS or email [messages] which are claimed to be sent by a bank, and transacting only through the bank’s official website or mobile application,” MAS said.  The framework, in the works since last July, aims to provide clarity on liabilities and how losses from fraudulent e-payment transactions should be shared amongst consumers and financial institutions. It currently is being developed by the Payments Council, which is chaired by MAS and comprises major providers and user groups of Singapore’s payment services. According to MAS, the proportion of losses each party should bear would depend on whether and how the party fell short of its responsibilities. 

The industry regulator noted that financial institutions were expected to treat customers “fairly” and bear an “appropriate portion” of losses resulting from scams.  However, it stressed that care also should be taken to ensure compensation paid to customers did not dilute the incentive for vigilance.  In particular, MAS pointed to recent payouts made to victims of the OCBC Bank phishing scams, covering the full amounts lost to scammers. Describing the move as a “one-off gesture”, the regulator said OCBC had done so in consideration of the circumstances, which included the bank’s acknowledgment it failed to meet its own expectations of customer service and response. “They do not set a general precedent for future cases,” MAS said of the payouts. The scams had involved 790 OCBC customers and resulted in losses totalling SG$13.7 million ($10.18 million), of which 80% occurred between December 23 and December 30 last year. Calls made to the bank’s contact centre during that week climbed by more than 40%, according to OCBC. In these phishing scams, which first surfaced December 1, scammers manipulated SMS Sender ID details to push out messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP). Because OCBC’s legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate. In its statement released January 30, OCBC noted that victims had provided their online banking login credentials and one-time PINs to phishing websites. This enabled the scammers to hijack their bank accounts and make fraudulent transactions, it said. “Nonetheless, OCBC decided to make the full payout as a one-off gesture of goodwill given the circumstances of this scam,” the bank said. “We also took into consideration that our customer service and response fell short of our own expectations, which could have affected loss mitigation in some of the cases.”In an earlier statement posted December 30 last year, OCBC had said customers were “the first line of defence” against such scams and that once funds were moved from their account, the possibility of recovery was “very low”. The bank added that it had issued its first advisory on December 23, warning the public about the scams and cautioning customers against clicking on links embedded in the SMS messages. The scams prompted MAS to mandate new security measures last month that, amongst others, required banks to remove hyperlinks from email or SMS messages sent to consumers and implement a 12-hour delay in activating mobile software tokens. In its statement Friday, the regulator reiterated that it was reviewing longer-term measures to be rolled out in the coming months. It also called out consumers to exercise greater vigilance and adopt digital safety practices, including keeping their devices updated with the latest security patches and antivirus software as well as monitoring transaction notifications from their banks. RELATED COVERAGE More

Swiss airport management service Swissport reported a ransomware attack affecting its IT systems on Friday. The company said the ransomware attack targeted its IT infrastructure. The group behind the attack was not named. Also: Prosecutors investigating cyberattacks affecting multiple Belgian and Dutch ports”The attack has been largely contained, and we are working actively to fully resolve the issue as quickly as possible. Swissport regrets any impact the incidence has had on our service delivery,” Swissport said. 

⚠️ A part of #Swissport’s IT infrastructure was subject to a ransomware attack. The attack has been largely contained, and we are working actively to fully resolve the issue as quickly as possible. Swissport regrets any impact the incidence has had on our service delivery.— Swissport (@swissportNews) February 4, 2022

A spokesperson for the National Cyber Security Centre in Switzerland told ZDNet that they are in contact with Swissport but could not provide more information. The company’s website is currently down. Headquartered in Opfikon, Switzerland, the company manages airport ground and cargo handling services. Der Spiegel reported that 22 flights were delayed about 20 minutes due to the attack. The company told the newspaper that there would be some delays but that it would continue providing ground services at Zurich Airport and 306 other locations. 

The attack caps a week of ransomware attacks and cybersecurity incidents affecting European oil and transportation services. A cyberattack on two German oil suppliers forced energy giant Shell to reroute oil supplies to other depots. The German Federal Office for Information Security (BSI) said the BlackCat ransomware group was behind the incident, which affected 233 gas stations across Germany.On Thursday, multiple ports in Belgium and the Netherlands reported issues after a cyberattack affecting IT services. Terminals operated by SEA-Tank, Oiltanking, and Evos in Antwerp, Ghent, Amsterdam, and Terneuzen are all dealing with issues related to their operational systems. In a statement to ZDNet, Oiltanking said it “declared force majeure” due to the attacks. A spokesperson from Evos told ZDNet that they are continuing to operate their terminals but are having some delays after the attack disrupted IT services at terminals in Terneuzen, Ghent, and Malta. Prosecutors in Antwerp have opened an investigation into the cyberattacks.Billion-dollar German logistics firm Hellmann Worldwide Logistics was also hit with ransomware in December.The Dutch Ministry of Justice and Security told ZDNet that news outlets making connections between the attacks in The Netherlands, Belgium, and Germany were incorrect. “Based on the information, the NCSC has seen the following: As far as currently known, it doesn’t seem to be a coordinated attack. Probably the attacks have been carried out with a criminal intent aimed at financial gain,” NCSC spokesperson Miral Scheffer said. “The NCSC will monitor the situation closely and take actions when necessary.” More

News Corp has announced a cyberattack in its filings to the US Securities Exchange Commission, explaining that the attack took place at some point in January.The Wall Street Journal, which is owned by News Corp, followed up on the filing with reporting that the attack was discovered on January 20. News Corp sent a letter about the attack to employees at the newspaper and the Dow Jones, the New York Post, the company’s UK news outlet and the News Corp headquarters.Mandiant vice president David Wong attributed the attack to actors allegedly based within China but did not provide any evidence for that assessment. News Corp explained in its SEC filing that network and information systems and other technologies, including those related to the company’s content delivery networks and network management, are important to its business activities and contain the company’s proprietary, confidential and sensitive business information, including personal data of its customers and personnel. “The Company also relies on third-party providers for certain technology and ‘cloud-based’ systems and services that support a variety of business operations. In January 2022, the Company discovered that one of these systems was the target of persistent cyberattack activity,” the company said. “Together with an outside cybersecurity firm, the Company is conducting an investigation into the circumstances of the activity to determine its nature, scope, duration and impacts. The Company’s preliminary analysis indicates that foreign government involvement may be associated with this activity, and that data was taken. To the Company’s knowledge, its systems housing customer and financial data were not affected. The Company is remediating the issue, and to date has not experienced any related interruptions to its business operations or systems. Based on its investigation to date, the Company believes the activity is contained. At this time, the Company is unable to estimate the expenses it will incur in connection with its investigation and remediation efforts.”News Corp is one of the most powerful news conglomerates in the world, controlling outlets in dozens of countries including the Sun, Barron’s, The Australian, The Times Market Watch and Realtor.com.

In 2013, the Wall Street Journal was hacked alongside the New York Times by attackers allegedly from China following a controversial story about the wealth of former Premier Wen Jiabao. More

What is the Alpha-Omega Project? Its purpose is to “improve global open source software supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code” and then fix them. This is vital to improving open-source security. 

Open Source

To make this happen, the Linux Foundation’s partner group — Open Source Security Foundation (OpenSSF), Google, and Microsoft — are joining forces to work with security experts and use automated security testing to improve open-source security. Microsoft and Google are bringing an initial investment of $5 million to the Alpha-Omega Project. Software supply chain security has become essential. One major security problem after another — including the SolarWinds software supply chain attack, the Log4j vulnerability, and the npm bad code injection episode — can be traced back to software supply chain vulnerabilities. Hackers and national adversaries have made widely-deployed open-source projects their top targets. These days, when a new vulnerability is disclosed, it’s only a matter of hours until it’s exploited. For instance, the widely deployed Log4j library problems forced many organizations into crisis mode as they raced to update applications before they could be attacked. A separate part of the problem, as  Jack Aboutboul VP of Products at software chain security company, CodeNotary points out, is paying developers and maintainers for this work. He asks: “Did you hear about the Fortune 500 corporation that emailed an open-source maintainer to “Demand Answers” about his software package, which they’ve never paid for, and which they’ve now realized is being used in their software? We did. And we didn’t think it was funny. This story showcases what is perhaps the most obvious truth about how the software supply chain can be secured – by paying maintainers. Any project or initiative, such as the one launched by OpenSSF, will never be complete and never fully actualized unless money is being earmarked to pay those maintainers of Omega software. Otherwise, the outcome will just be to identify more holes in a maintainer’s code which will cause them to work more hours, not less, for the same non-existent compensation.”The Alpha-Omega Project aims to skip all of this by finding open-source code vulnerabilities and fixing them before they can be targeted. I wish them luck. The Alpha…Alpha will work with the most critical open-source project maintainers. Specifically, Alpha will cover both standalone projects and core ecosystem services selected based on the work by the OpenSSF Securing Critical Projects working group. To do this, Alpha will use both expert opinions and data. This will include data from open-source security projects, such as the OpenSSF Criticality Score and Harvard’s “Census” analysis.

For these selected projects, Alpha team members will provide tailored help to understand and address security gaps. This will include threat modeling, automated security testing, source code audits, and support remediating vulnerabilities that are discovered. Its best practices will be drawn in part from the OpenSSF Scorecard and Best Practices Badge criteria….and the OmegaThe Omega side of the project will start by identifying at least 10,000 widely deployed open-source programs. Once that’s done, the project’s team will apply automated security analysis and scoring to the programs’ code. Finally, the Omega crew will follow up by giving remediation guidance to the maintainer communities. This is by no means easy. Omega will do this with automated methods and tools to identify critical security vulnerabilities. To make this happen, its developers will use a combination of technology, cloud-scale analysis’ people, security analysts triaging findings; and process, confidentially reporting critical vulnerabilities to the programs’ stakeholders. To make this happen, Omega will use a dedicated team of software engineers. They will be continually working on reducing false-positive rates and identifying new vulnerabilities.Even with its own security team, as Eric Brewer, Google VP of Infrastructure and Fellow pointed out, “The long tail of important open-source software, the ‘Omega’ of this endeavor, is always the hardest part—it will require not only considerable funding and perseverance, but its scale will also drive extensive automation for tracking and ideally fixing vulnerabilities. Enabling automation will be one of the greatest improvements for open source security.””Open-source software is a vital component of critical infrastructure for modern society. Therefore we must take every measure necessary to keep it and our software supply chains secure,” said Brian Behlendorf, OpenSSF’s General Manager. “Alpha-Omega supports this effort in an open and transparent way by directly improving the security of open source projects through proactively finding, fixing, and preventing vulnerabilities.”If all goes well, Mark Russinovich, Microsoft Azure CTO, said “Alpha-Omega will provide assurance and transparency for key open-source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities. We look forward to collaborating with industry partners and the open-source community on this important initiative.”Questions remainBut is this enough? Aboutboul doesn’t think so. Technically, Aboutboul is concerned that neither Alpha-Omega’s sigstore technology ( particularly cosign and Rekor) nor its financial and personnel resources are up to the job.. “First, cosign is based on certificates and keys – ancient technologies. What happens if you sign billions of artifacts with a certificate and then that certificate is now compromised? Will you go back and revoke the trust of all your assets? Furthermore, what if the actual trust root becomes compromised somehow? Serious questions to be asked and answered.”Aboutboul also worries that Rekor, which is meant as the project’s immutable, tamper-resistant ledger and functions as a transparency log of metadata about artifacts in a supply chain, isn’t good enough. That’s because “Rekor utilizes Google’s Trillian for its underlying append-only data structure and requires MySQL or MariaDB and Redis underneath. Ultimately, this leaves room for vulnerability. There are too many moving pieces at play here, and the more pieces means more pieces you need to trust, or actually shouldn’t need to trust.”Finally, on the technical side of things, Aboutboul notes that Rekor comes right out and says,  “‘IMPORTANT: This instance is currently operated on a best-effort basis. We will take the log down and reset it with zero notice. We will improve the stability and publish SLOs over time.’ Yikes!”Aboutboul deals with these issues by relying on its open-source immutable database, immudb. Why? CodeNotary eats its own dog food because “immudb is itself an immutable database and doesn’t rely on any external piece of infrastructure, there is no room for doubt, no room for risk. What goes into immudb is stored in immudb, in a tamper-proof and verifiable way.”Besides the technology, Aboutboul has two other important issues he thinks need to be addressed. First, “While  $5 million sounds like a lot of money (and it is), it seems like a paltry sum to carry out this mission. The depth of penetration of open source into the global software supply chain is daunting. When you start to take a look at your potential Alpha projects, say, the Linux Kernel, etc. the effort there alone can potentially utilize almost all of that. How do you get to all your Omega projects then?”That said, Aboutboul agrees that  Alpha-Omega is a good, major step forward. But, Aboutboul makes several excellent points. In the end, the elephant in the room is money for developers and maintainers. Like it or not, we must make paying for open-source security a priority. Related Stories: More

Almost every compromised Microsoft account lacks multi-factor authentication, but few organizations enable it even though it’s available, according to Microsoft.  In Microsoft’s new Cyber Signals report, the company says that as at December 2021, just 22% of customers that use is cloud-based identity platform Azure Active Directory (AAD) have implemented “strong identity authentication”, which includes multi-factor authentication (MFA) and passwordless solutions, such as the Microsoft Authenticator app.     MFA is one of the best defenses against remote phishing attacks as logging in to an Office 365 account with a compromised password requires that the attacker also has physical access to a second factor, like an account owner’s smartphone.  As Microsoft has previously highlighted, if you do have MFA enabled, you’re almost guaranteed to be protected. Last year it revealed that 99% of compromised Microsoft accounts did not have MFA enabled.  One potential technical obstacle is that some organizations still have Office 365 “basic authentication” enabled, which doesn’t support MFA. Microsoft’s “modern authentication” enables MFA. Microsoft will disable basic authentication by default in October 2022 and would have done so last year were it not for the pandemic’s demands on remote access for employees.  The Cyber Signals report also highlights the scale of the onslaught on account identities. Microsoft says it blocked tens of billions of phishing attempts and automated password-guessing attacks, such as password spraying, last year. The attacks were from state-sponsored actors, such as Nobelium, the group behind the SolarWinds software supply chain attack, and ransomware affiliates.   “From January 2021 through December 2021, we’ve blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365,” notes Vasu Jakkal Corporate Vice President, Security, Compliance and Identity in a blogpost. 

Clearly, however, some phishing emails and attacks still get through and that means some 78% of AAD customers without strong authentication are exposed to breaches that almost no clients with MFA enabled are.  The Cyber Signals report offers a snapshot of these threats in 2021 as well some context to what threat actors are employing these attack techniques.  As the report notes, “ransomware thrives on default or compromised credentials”. Microsoft recommends enabling MFA on all end user accounts and prioritizing it for executive, administer and other privileged accounts.    More

Phishing attacks are evolving in order to help hackers bypass multi-factor authentication (MFA) protections designed to stop cyber criminals from exploiting stolen usernames and passwords for accounts. The use of multi-factor authentication, which needs the user to enter a code or sign in to an additional app in order to log in to their account, has grown in recent years, as it’s commonly seen as one of the simplest tools that organisations and individuals can deploy across accounts in order to help keep them secure.

ZDNet Recommends

But while this has made conducting attacks harder for cyber criminals, that isn’t putting them off – and cybersecurity researchers at Proofpoint have detailed how there’s been a rise in phishing kits designed to bypass MFA. SEE: Cybersecurity: Let’s get tactical (ZDNet special report) Phishing kits have long been a popular tool among cyber criminals, allowing them to harvest credentials and use them – in many cases, they’re available on the open web and only cost a few dollars, fuelling large numbers of attacks. Now phishing kits are evolving, boasting tools and techniques that allow cyber criminals to bypass or steal multi-factor authentication tokens. These range from relatively simple open-source kits, to sophisticated kits that come with several layers of obfuscation and modules that allow attackers to steal usernames, passwords, MFA tokens, social security numbers, credit card numbers, and more. One of the techniques gaining popularity is the use of phishing kits. Rather than relying on recreating a target website, as phishing usually might, these kits instead take advantage of reverse proxy servers – applications that sit between the internet and the web server in order to help services run smoothly.

By exploiting this situation with phishing kits, attackers can not only steal usernames and passwords, but also session cookies, enabling access to the targeted account. While these particular phishing kits are currently uncommon – even those that have existed in one way or another for years – Proofpoint researchers warn that it’s likely there will be greater adoption of these techniques as MFA forces cyber criminals to adapt. “They are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions,” warned researchers.
MORE ON CYBERSECURITY More

A sophisticated cybercriminal group hailing from Russia has been caught trying to attack a Western government outfit located in Ukraine.

At a time when tensions between Russia and Ukraine are high, with world leaders concerned that the former is intending to invade, there is already digital warfare at hand. In recent weeks, Ukraine has been subject to defacement and tampering of numerous government-run websites, Microsoft’s Threat Intelligence Center (MSTIC) has warned that destructive malware is being used in assaults against Ukrainian organizations, and the US Treasury Department has sanctioned Ukrainian nationals for allegedly trying to help create “instability” ahead of a potential invasion.  The UK’s National Cyber Security Centre (NCSC) is also urging organizations to ramp up their defenses in light of recent cyberattacks against Ukraine.  Now, researchers from Palo Alto Networks have uncovered ongoing activity against Ukraine performed by Primitive Bear/Gamaredon, an advanced persistent threat (APT) group of Russian origin.  The team says that while there is no evidence that Primitive Bear is responsible for any of the recent, publicized attacks, as “one of the most active existing advanced persistent threats targeting Ukraine, we anticipate we will see additional malicious cyber activities over the coming weeks as the conflict evolves.” Also: Arid Viper hackers strike Palestine with political lures and Trojans

Since 2013, before Russia annexed Crimea, Primitive Bear has been focused on attacks against Ukrainian government officials and organizations in the country.  Palo Alto’s Unit 42 has been tracking the APT ever since and has now mapped out three clusters used in campaigns that link to over 700 malicious domains, 215 IP addresses, and a toolkit of over 100 malware samples.  On January 19, Primitive Bear tried to attack the networks of an unnamed “Western government entity” in Ukraine. The initial attack vector is an interesting one: rather than sending a typical phishing email, the attackers searched for an active job listing at the department and uploaded a malicious downloader within a resume.  “Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Primitive Bear/Gamaredon to compromise this Western government organization,” the researchers note. There is also evidence that Primitive Bear has targeted the State Migration Service of Ukraine with phishing emails. As disclosed by CERT Estonia (.PDF), the APT has used malicious macros in .dox/.dot template attachments to execute wiper malware in the past.  “As international tensions surrounding Ukraine remain unresolved, Gamaredon’s operations are likely to continue to focus on Russian interests in the region,” Palo Alto says. “While we have mapped out three large clusters of currently active Gamaredon infrastructure, we believe there is more that remains undiscovered.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have uncovered an active campaign exploiting a zero-day vulnerability in the Zimbra email platform. 

Zimbra is an email platform available under an open source license. According to the developer, the platform supports hundreds of millions of mailboxes located in 140 countries. On February 3, cybersecurity researchers from Volexity, Steven Adair and Thomas Lancaster, said a threat group is exploiting the system tracked as TEMP_Heretic in a series of spear phishing email attacks.  In a security advisory, Volexity said the campaign, dubbed “Operation EmailThief,” was first discovered in December 2021 and is likely the work of Chinese cybercriminals.  According to the team, TEMP_Heretic is careful in its selection of potential victims. The threat actor will first perform reconnaissance and will use tracker-embedded emails to see if an address was valid and if a target would even open emails in the first place — and if so, the second stage of the attack chain triggers.  In total, 74 unique Microsoft Outlook email addresses have been used to send the preliminary emails, which contain generic images and subjects, including invitations, alerts, and airline ticket refunds.  Also: Silkworm security? Researchers create new authentication method using silk fibers

TEMP_Heretic will then send tailored phishing emails containing a malicious link. The more targeted themes of subsequent emails related to interview requests from news organizations, including the AFP and BBC, as well as invitations to charity dinners. Other phishing email samples collected were more generic and contained holiday greetings. 
Volexity
The victim would need to be logged into the Zimbra webmail client from a web browser when they opened the malicious attachment & link for the exploit to be successful — but according to Volexity, the link itself could be launched from other apps, such as Outlook or Thunderbird. 
Volexity
The cross-site scripting (XSS) vulnerability allows attackers to run arbitrary JavaScript in the context of the Zimbra session, leading to the theft of mail data, attachments, and cookies. In addition, cybercriminals could leverage a compromised email account to send further phishing emails or to launch prompts for the victim to download additional malware payloads. TEMP_HERETIC has previously been linked to campaigns targeting European government and media organizations.  “At the time of writing, this exploit has no available patch, nor has it been assigned a CVE (i.e., this is a zero-day vulnerability),” the researchers say. “Volexity can confirm and has tested that the most recent versions of Zimbra — 8.8.15 P29 & P30 — remain vulnerable; testing of version 9.0.0 indicates it is likely unaffected.” Volexity notified Zimbra of the exploit attempt on December 16 and provided proof-of-concept (PoC) code. Zimbra acknowledged the report on December 28 and confirmed that the exploit was valid to the cybersecurity team.  After requesting details of a patch in January but having received no response, Volexity then made its findings public this month. However, users who have upgraded to the latest version of the webmail client are unlikely to be at risk.”Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15,” the researchers say.  ZDNet has reached out to Zimbra, and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More