Information Technology

Palo Alto Networks’ Unit 42 released a deep-dive into the BlackCat ransomware, which emerged in mid-November 2021 as an innovative ransomware-as-a-service (RaaS) group leveraging the Rust programming language and offering affiliates 80-90% of ransom payments.

ZDNet Recommends

In December, the ransomware family, also known as ALPHV, racked up at least 10 victims, giving it the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42. Doel Santos, threat intelligence analyst with Unit 42, told ZDNet the group has already attacked a wide range of industries, including construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals. Last week, Italian fashion brand Moncler was revealed to be a BlackCat victim from December. In addition to being written in Russian and coded in the Rust programming language, the malware stood out to Santos for a number of other reasons.”What makes Blackcat standout is the use of their private access-key token. Most of the groups we have looked at in the past include a direct link and the keys embedded in the samples, which makes it easy to look at and confirm the ransomware victims,” Santos said.Also: White House, EPA release 100-day cybersecurity plan for water utility operators 

“Blackcat ransomware samples don’t include the keys. Instead, they need to be submitted by the operator. Without it, there is no way for an external entity to get access to their negotiation site or identify the victim unless they have an exact copy of a ransom note with the exact key used for executing the ransomware.”Unit 42 noted that the affiliates of the group have “taken an aggressive approach to naming and shaming victims, listing more than a dozen on their leak site in a little over a month.” “The largest number of the group’s victims so far are US organizations, but BlackCat and its affiliates have also attacked organizations in Europe, the Philippines and other locations,” the report noted. 
Unit 42
“Use of BlackCat ransomware has grown quickly for a variety of reasons (for comparison, AvosLocker had only listed a handful of victims publicly within two months of becoming known). Effective marketing to affiliates is a likely factor. In addition to offering an enticing share of ransom payments, the group has solicited affiliates by posting ads on forums such as Ransomware Anonymous Market Place (RAMP),” the report added. “Though this is not the first piece of malware to use Rust, it is one of the first, if not the first, piece of ransomware to use it. By leveraging this programming language, the malware authors can easily compile it against various operating system architectures. Given its numerous native options, Rust is highly customizable, which facilitates the ability to pivot and individualize attacks.”Also: QNAP warns NAS users of DeadBolt ransomware, urges customers to updateThe group also extorts victims by stealing their data before deploying the ransomware, threatening to leak the data and launch distributed denial-of-service (DDoS) attacks.BlackCat has been seen targeting both Windows and Linux systems, according to Unit 42, which added that it has observed affiliates asking for ransom amounts of up to $14 million. In some instances, affiliates have offered discounts of $9 million if the ransom is paid before the established time. They allow ransom to be paid in Bitcoin and Monero.”In some cases, BlackCat operators use the chat to threaten the victim, claiming they will perform a DDoS attack on the victims’ infrastructure if the ransom is not paid. When it appears in addition to the use of a leak site, this practice is known as triple extortion, a tactic that was observed being used by groups like Avaddon and Suncrypt in the past,” Unit 42 explained. “One unique feature of BlackCat ransomware is that negotiation chats can only be accessed by those holding an access token key or ransom note — the group has made efforts to avoid third-party snooping.”Recorded Future ransomware expert Allan Liska said that based on a couple of factors, including the use of the Rust programming language, Black Cat/ALPHV appears to be a well-sourced group. Liska said the fact that the group started with ransomware variants targeting Windows, Linux and ESXi systems “shows a level of sophistication.””They have quickly become one of the top tier ransomware groups. This is credited, in part, to the fact that their RaaS offering is very aggressive, offering affiliates the ability 80%-90% of ransom paid, an unusually high percentage. Despite some early success, not every affiliate has been impressed, as this very negative review shows,” Liska said, sharing a screenshot of an affiliate who complained about being banned by BlackCat for targeting an organization in Turkmenistan.While Turkmenistan is not in CIS, it does have close ties to Russia.

“Their public targets have been larger organizations, and they appear to be very aggressive when dealing with negotiators and their affiliates (e.g. a ban from the affiliate program after 2 weeks of inactivity). We’ll see whether their penchant for being overbearing outweighs the attractive percentages they are offering,” Liska added.  More

Researchers have developed a novel way to potentially improve digital security — using silk as a security key. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The proposal is the work of the South Korean Gwangju Institute of Science and Technology (GIST). In a paper, “Revisiting silk: a lens-free optical physical unclonable function,” published in the academic journal Nature Communications, the researchers argue that the properties of silk could be harnessed to create physical unclonable functions (PUFs). According to the team, made up of Min Seok Kim, Gil Ju Lee, Jung Woo Leem, Seungho Choi, Young L. Kim, and Young Min Song, PUFs can act as physical security keys for digital services that cannot be duplicated or cloned.  Hardware security keys, including Yubikey products, provide a physical security barrier for online services. Google, for example, recommends that account holders considered more ‘at risk’ of attacks use a hardware-based key in order to reduce the likelihood of compromise by requiring another level of authentication. According to the GIST researchers, future sustainable and eco-friendly authentication keys could be created by taking advantage of the natural, microscopic differences in fiber — tiny differences that could be used to develop unique, hardware PUFs. The fibers used to test this idea were obtained from Bombyx mori silkworms. GIST then used an image sensor, light-reflecting mirror, and three light-emitting diodes to capture patterns of light reflected off the silk to create a security tag pattern.

“Randomly distributed fibers in silk generate spatially chaotic diffractions, forming self-focused spots on the millimeter scale,” the paper reads. “The silk-based physical unclonable function has a self-focusing, low-cost, and eco-friendly feature without relying on pre-/post-process for security tag creation.” Professor Young Min Song explained that at an “optimal density,” a beam of light striking silk causes light diffraction, which is the source of a potential PUF. “The nanostructures in individual microfibers enhance the contrast of light intensity with respect to the background,” Song commented. “The diffracted light is then captured by an image sensor. Since the pattern of the microholes is naturally-made, it is unique, giving rise to a unique pattern of light.”These patterns were then converted into a digital format held in 15 silk “ID cards,” of which a reader could then extract an authentication code. When challenged by a basic brute-force attack, the time calculated for bypassing authentication was reported as 5 x 10(41) years.  “To our knowledge, this is the first PUF module designed using silk, a naturally abundant biomaterial,” Song added. “It means that we don’t need to invest time in developing complicated security keys; nature has already done this for us.”
GIST
See AlsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Organisations are being urged to take action in order to bolster their cybersecurity resilience as a result of the ongoing tensions between Russia and Ukraine.The National Cyber Security Centre (NCSC) has issued the warning after recent cyber incidents against Ukraine and tensions in the region. 

ZDNet Recommends

While the attacks haven’t officially been attributed to anyone, the NCSC notes that they follow similar patterns to previous incidents, some of which the UK, the US and others have blamed on the Russian government.SEE: A winning strategy for cybersecurity (ZDNet special report)These include cyberattacks against Georgia, as well as the NotPetya cyberattack. NotPetya was designed to target organisations in the Ukrainian financial, energy and government sectors, but the self-replicating nature of the attack meant it affected organisations around the world, causing an estimated billions of dollars in damages.NotPetya was powered by EternalBlue, an offensive NSA hacking tool that was leaked in early 2017. By the time of the NotPetya attack in June that year, a security patch had been available for months, but many organisations had yet to apply it.That’s despite a demonstration of how large numbers of unpatched systems were vulnerable to EternalBlue-based attacks – that demo took place when North Korea launched WannaCry ransomware in May 2017, disrupting networks of organisations around the world.

Regularly patching software and operating systems is, therefore, one of the actions that organisations are being urged to implement to help protect networks from cyberattacks.Other steps organisations are urged to take include enabling multi-factor authentication, ensuring an incident response plan is in place, and testing backups and other online defences regularly to ensure they’re working as expected. It’s also recommended that organisations keep up to date with the latest threat and mitigation information, so they’re aware of what potential cyber incidents could be on the horizon. “While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient,” said Paul Chichester, director of operations at NCSC. “Over several years, we have observed a pattern of malicious Russian behaviour in cyberspace. Last week’s incidents in Ukraine bear the hallmarks of similar Russian activity we have observed before,” he added.The guidance also advises any organisations that fall victim to a cyberattack to report the event to the NCSC’s incident management team.  MORE ON CYBERSECURITY More

A Trojanized 2FA authenticator app has been removed from the Google Play Store. 

ZDNet Recommends

The best mobile VPNs

Here’s how to find an effective Virtual Private Network service for both iOS-powered iPhones and Android smartphones.

Read More

The app, 2FA Authenticator, was discovered by the Pradeo security team. According to a cached version of the app’s page on Google Play, the developer said the software provided a “secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups.”In addition, the app claimed to support HOTP and TOTP and was marketed as a way to import other authenticator protocols — including Authy, Google Authenticator, Microsoft Authenticator, and Steam — and host them in one place. 
Pradeo
The app was downloaded and installed over 10,000 times during its time on Google Play.  However, the app was less about protecting your data and more about stealing it. According to Pradeo, the app would act as a dropper for malware designed to steal financial information upon installation.  “It has been developed to look legitimate and provide a real service,” the researchers say. “To do so, its developers used the open-source code of the official Aegis authentication application to which they injected malicious code. As a result, the application is successfully disguised as an authentication tool which ensures it maintains a low profile.”

In the first stage of the attack, 2FA Authenticator requests a range of permissions from the handset owner, including camera and biometric access, the ability to tamper with system alerts, package querying, and the ability to disable keylock.  The permissions allow the malware to perform actions including collecting localized data for targeted attacks, disabling keylock and password security, downloading external apps, and creating overlay windows over other mobile application windows.  Once these permissions have been granted, the dropper then installs Vultur.  According to Threat Fabric, Vulture is a Remote Access Trojan (RAT) that is a relatively new entrant to the malware landscape. Vultur uses screen recording and keylogging to capture bank account and financial service credentials rather than traditional overlay functions — a slower method, but potentially one that is less likely to be detected.  Vultur tends to target European banking institutions as well as a range of cryptocurrency wallet platforms. The dropper used to execute the RAT is a framework called Brunhilda, previously linked to Android malware distribution through fake utility and 2FA apps on Google Play.  In an update, the Pradeo team said the malicious app was removed after being available on the Google Play Store for 15 days. If you try to access the 2FA Authenticator page, you are met with an error display.  Users of the app are advised to delete the software from their handsets. ZDNet has reached out to Google, and we will update when we hear back.See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Department of Home Affairs is looking for an organisation to help it build and deploy components for the country’s identity-matching services (IDMS), as well as host and manage elements of the existing IDMS system. The IDMS was established to prevent the use of false and stolen identities, provide law enforcement with tools to help identify persons of interest, and enable other government agencies to deliver services. This was established after the political heads of Australia’s states and territories unanimously agreed to it in 2017. It comprises three components, with one being the documentation verification service (DVS), a national online service used to check in real time whether a particular evidence-of-identity document that has been presented is authentic, accurate, and up to date. Another is a face-matching services hub (FMS), which acts as “broker” that facilities identity-related requests for biometric and biographic data between requesting agencies and data holding agencies. The third component is the national driver licence facial recognition solution (NDLFRS), which is used to verify a person’s identity using their facial image or driver’s licence issued by each state and territory road agency. In a request for tender, the Department of Home Affairs outlined it is seeking help to transition the country’s existing NDLFRS from an unnamed incumbent service provider to a new provider while keeping the current system fully operational during the transition period. The service provider would also take over all management, operations, and maintenance responsibilities for the NDLFRS, according to the tender. At the same time, the department is seeking for the DVS and FMS hubs to be designed, built, tested, and deployed, with the potentiation for both hubs to be consolidated into a single hub that can provide both services.

Read also: Human Rights Commission calls for a freeze on ‘high-risk’ facial recognition The department also hopes that a central routing application can be developed to facilitate the secure, automated transition of facial images and associated data between IDM participants, along with a web-based portal interface for IDMS consumers that can submit and receive information match requests for biometric and biographic data. Other requirements listed in the tender include the need to have agreed upon common data standards, guidelines, and protocols for the exchange of biometric and biographic data. Tender submissions close 11 March 2022. The request for tender follows the recent scrutiny regarding various Australian government agencies’ usage of biometric tools and data. In April last year, the Australian Federal Police (AFP) admitted to using Clearview AI facial recognition software to help counter child exploitation, despite not having an appropriate legislative framework in place.An investigation by Australia’s Information Commissioner later determined the AFP’s use of the Clearview AI platform interfered with the privacy of Australian citizens. A separate investigation also found that Clearview AI facial recognition tool collected Australians’ sensitive information without consent and by unfair means, breaching Australia’s privacy laws on numerous fronts. Related Coverage More

Image: Costfoto/Barcroft Media via Getty Images
The United States Federal Communications Commission (FCC) has removed the authority for China Unicom to operate in the US for national security reasons. The agency’s four commissioners voted unanimously to revoke the licence of China Unicom’s US subsidiary, with the agency explaining that the telco’s presence in the US posed a national security risk for the Chinese government to access, store, disrupt, and misroute US communications and engage in espionage. “In March 2021, the Commission found that China Unicom Americas had failed to dispel serious concerns regarding its retention of its authority to provide telecommunications services in the United States,” the FCC said in a statement. “[China Unicom] is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.” The state-owned China Unicom has also been accused of misleading the FCC and Congress about the activities it conducted in the US, which the agency said has fractured the telco’s ability to be trusted given the critical nature of being a provider of telecommunications services. With the ban, China Unicom joins China Telecom as being a Chinese state-owned telco that has been banned from operating in the US. The ban also means China Mobile is the last of China’s major telcos to still be allowed in the US.Prior to the FCC decision, China Unicom was already in regulatory hot water in the US, having been delisted from the New York Stock Exchange alongside China Telecom and China Mobile at the start of 2021. US President Joe Biden also signed an executive order in June last year prohibiting Americans from investing in the three telcos as well.

China Unicom will now have 60 days to pack its bags and stop its provisions of domestic and international services. Related Coverage More

Taiwanese network-attached storage giant QNAP urged its customers to update their systems this week after the DeadBolt ransomware was discovered targeting all NAS instances exposed to the internet.”QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version,” the company said in a statement. Attached to the statement is a detailed guide for customers, noting that if you go to the Security Counselor on your QNAP NAS and see “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP” on the dashboard, you are at high risk. “If your NAS is exposed to the Internet, please follow the instructions below to ensure NAS security: Go to the management interface of your router, check the Virtual Server, NAT or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 443 by default),” the company said. “Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration”, and unselect “Enable UPnP Port forwarding.”Two days ago, dozens of people took to QNAP message boards and Reddit to say they logged on only to find the Deadbolt ransomware screen. People reported losing decades of photos, videos and irreplaceable files. Even an MIT professor was hit. 

I just got hacked. Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files. They ask $1,000 from individuals or $1.8 million from QNAP. I have 50tb of data there, none of it essential or sensitive, but it hurts a lot. Time for a fresh start. pic.twitter.com/E8ZkyIbdfp— Lex Fridman (@lexfridman) January 27, 2022

One user on Reddit said they were saved because they had a folder titled “Absolutely Worthless” at the top of their directory full of data. The ransomware started with that folder, giving them time to pull the plug before it encrypted anything of value. 

The ransom note demands .03 of Bitcoin for the decryption key and says, “You have been targeted because of the inadequate security provided by your vendor (QNAP).” At least one user on Reddit reported paying the ransom and not getting the decryption key. 
QNAP message board
On the QNAP message board, someone shared a message from the Deadbolt ransomware group that was allegedly sent to QNAP. “All you affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage,” the group said.  The group demanded a Bitcoin payment of 5 BTC in exchange for details about an alleged zero day used to launch the attack or 50 BTC for a universal decryption master key and information about the zero day. “There is no way to contact us. These are our only offers,” the alleged message says. QNAP did not respond to requests for comment about whether a zero day was used during the attack. Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said QNAP NAS devices have been a frequent target of ransomware groups, including by the QLocker ransomware in April 2021 and January 2021 as well as the ech0raix ransomware in December 2020. QNAP has also been hit by malware in the past. “The latest activity—which has been attributed to the Deadbolt ransomware—is reportedly unsophisticated and relies on targeting unpatched devices. Mitigation for this attack—and other similar ransomware variants—can be achieved simply by ensuring devices are not internet facing and are routinely patched with the most regular updates,” Morgan explained. Vulcan Cyber’s Mike Parkin questioned why an organization would have a NAS system exposed on the internet in the first place, noting that while there may be some business cases for making mass storage available to outsiders, there is no reason to have administration functions available through an unencrypted, unauthenticated, connection. “Cases like this highlight how important it is to be sure systems are deployed and maintained to industry best practices. Network scanning and vulnerability management tools can work together to identify risky configurations after the fact, but it’s always best to make sure systems are deployed securely in the first place,” Parkin said.  More

The White House, Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) are rolling out a 100-day plan to improve the cybersecurity of the country’s water systems, which faced a variety of attacks over the last year. 

The “Industrial Control Systems Cybersecurity Initiative — Water and Wastewater Sector Action Plan” includes several measures that officials believe can be taken in the next few months to address cybersecurity gaps within the water utility industry. The plan will create a task force of leaders in the water utility industry, kickstart incident monitoring pilot programs, improve information sharing and provide technical support to water systems in need of help. EPA Administrator Michael Regan said cyberattacks represent an “increasing threat to water systems and thereby the safety and security of our communities.””As cyber-threats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America,” Regan said. “EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to, and recovering from cyber-incidents.”The White House said the plan will offer owners and operators with technology that will provide “near real-time situational awareness and warnings.” The Washington Post noted that over 150,000 water utilities are serving the US population. “This sector is made up of thousands of systems that range in size from the very small to ones that service major metropolitan cities that have little or no cybersecurity expertise and are unsure what steps they should take to address cyber risks. EPA and CISA will work with appropriate private sector partners to develop protocols for sharing information,” the Biden Administration said. 

“The government will not select, endorse, or recommend any specific technology or provider. The plan will initially focus on the utilities that serve the largest populations and have the highest consequence systems; however, it will lay the foundation for supporting enhanced ICS cybersecurity across water systems of all sizes.”Also: The White House rolls out zero trust strategy for federal agenciesIn October, CISA warned the US water and wastewater system operators about an array of cyber threats to disrupt their operations.The notice listed several recent attacks since 2019, including one in August 2021 that involved the Ghost ransomware being deployed against a facility in California. Attackers spent a month inside the system before putting up a ransomware message on three supervisory control and data acquisition servers. An attack in July 2021 saw the ZuCaNo ransomware used to damage a wastewater facility in Maine. In March 2021, a Nevada water treatment plant was hit with an unknown ransomware variant. In September 2020, the Makop ransomware hit a New Jersey facility, and another attack in March 2019 involved an attempt to threaten the drinking water of a town in Kansas. There was also a headline-grabbing attack in February 2021 where an unidentified hacker accessed the computer systems of a water treatment facility in the city of Oldsmar, Florida and modified chemical levels to dangerous parameters.Recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability. “Over the past year, we’ve seen cyber threats affecting the critical infrastructure that underpins our communities and the services we all rely on, including safe and clean water,” CISA Director Jen Easterly said. “To reduce the likelihood and impact of damaging cybersecurity intrusions to the water sector, we’re teaming up with our EPA partners to provide guidance, technology, and direct support to the sector. The action plan announced today will help us better understand and reduce the risks across the water and wastewater sector both in the near and long term, and keep the American people safe.”The White House noted in its statement that the recent attacks on Colonial Pipeline and food processor JBS “are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure.”The EPA developed the water plan, National Security Council, CISA and the Water Sector Coordinating Council and Water Government Coordinating Council. National Cyber Director Chris Inglis explained that the plan will provide owners and operators of water utilities with a roadmap for high-impact actions to improve their operations’ cybersecurity. The 100-day plan is part of President Joe Biden’s Industrial Control Systems (ICS) Initiative that aims to help critical infrastructure organizations with tools that provide greater visibility, indicators, detections, and warnings about cyber threats. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the action plans that were created for electric grids and pipeline operators “have already resulted in over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines deploying additional cybersecurity technologies.””This plan will build on this work and is another example of our focus and determination to use every tool at our disposal to modernize the nation’s cyber defenses, in partnership with private sector owners and operators of critical infrastructure,” Neuberger said. Secretary of Homeland Security Alejandro Mayorkas added that “American lives depend on protecting the Nation’s critical infrastructure from evolving cybersecurity threats.”Responses to the 100-day plan among ICS cybersecurity experts was mixed. Mark Carrigan, cyber VP of process safety and OT cybersecurity at Hexagon PPM, told ZDNet that the measures outlined “will not be nearly sufficient to reduce the risk to an acceptable level.” The state of detection technology today is not “fool-proof,” according to Carrigan, who noted that many infiltrations and subsequent attacks start with exploiting zero-day vulnerabilities that are not recognized until after the fact. “It’s like closing the barn door after the cows have gotten out. It is time for critical infrastructure to increase investments to improve operational resiliency so that we can respond to an attack, minimize the impact, and restore operations within an acceptable period of time,” Carrigan said. “We must accept the fact that we cannot prevent all cyber-attacks due to the nature of the control systems that deliver critical services. We must improve our ability to respond and recover.” More