Information Technology

Wormhole, a popular blockchain bridge, confirmed on Wednesday evening that hackers stole crypto-assets worth $324 million.The platform serves as a bridge between different blockchains and allows users to transfer cryptocurrency. The company confirmed in a series of Tweets that 120k wETH was stolen from the platform and the network was down for maintenance as they looked into a potential exploit.

The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.We are working to get the network back up quickly. Thanks for your patience.— Wormhole🌪 (@wormholecrypto) February 2, 2022

The platform’s website has “Portal is Temporarily Unavailable” in block letters but no other message. Researchers found evidence of an 80,000 ETH transfer from Wormhole as well as another 40,000 of ETH being sold by the hacker on Solana. Elliptic’s Tom Robinson shared a message from Certus One, the company behind Wormhole, to the hacker offering $10 million for the exploit details and return of all the cryptocurrency. The company said the hacker exploited “the Solana VAA verification and mint tokens” in the message.”The exploit appears to have allowed the attacker to mint 120,000 wrapped ETH on the Solana blockchain, 93,750 ETH of which was then transferred to the Ethereum blockchain,” Elliptic explained. By around 8 pm EST, the company said the vulnerability was patched and the network was being restored. Multiple researchers released detailed threads explaining the vulnerability the hacker exploited. 

tl;dr – Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.— samczsun (@samczsun) February 3, 2022

Jump Capital, which purchased Certus One in August 2021, did not respond to requests for comment. The company also invested in crypto platform AscendEX, which suffered its own $77.7 million hack on December 11. Just five days ago, Qubit Finance took to Twitter to beg hackers to return more than $80 million that was stolen from them. The recent hacks continue a run of attacks on DeFi platforms that have occurred over the last year. Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021.  The attack on Wormhole is the second largest reported hack after Poly Network saw $611 million stolen from their platform in August. Bitmart lost $196 million in early December. More

Major VPN providers Surfshark and Nord Security are merging, according to a blog post from both companies. The merger is one of a number of consolidations within the VPN market, much of which is already controlled by Kape Technologies, Tesonet, and Ziff Davis. Terms of the merger were not disclosed but the two companies spent months negotiating before making the announcement. The two companies will operate as separate entities “relying on separate infrastructures and different product development plans.”

ZDNet Recommends

The best mobile VPNs

Here’s how to find an effective Virtual Private Network service for both iOS-powered iPhones and Android smartphones.

Read More

In a statement, Surfshark founder and CEO Vytautas Kaziukonis defended the VPN market’s worrisome consolidation, arguing that it indicated “the industry’s maturity.””Consolidations in the global consumer cybersecurity market indicate the industry’s maturity,” Kaziukonis said.”They also bring new competitive challenges. Nord Security and Surfshark joining forces will set the ground to scale in different digital security dimensions, which is necessary to meet the growing requirements of our customers.” See also: Best VPN 2021: Top VPN services reviewedThe companies argued that they never intended to “be only a VPN” and that both offer different products despite overlaps between the tools they sell. 

“Nothing changes concerning our brands, infrastructure, company management, employees, and product development. The idea behind the deal is to align on a tactical level in reaching mutual goals while keeping the autonomy of our operations,” the companies said. “This strategic business move will serve as a springboard towards more rapid development and innovation while maintaining the uniqueness of both brands that customers learned to appreciate over many years.”Nord Security co-founder Tom Okman said the companies believe the VPN industry requires “radical” simplification and ease of access for consumers and businesses. Neither company is changing its Terms of Service or Privacy Policy. The merger drew scrutiny from market watchers who noted that Surfshark was developed with the help of Tesonet, the same Lithuanian business incubator that helped NordVPN in its early days. The companies initially denied any connections before the merger was announced. In September, Kape Technologies bought ExpressVPN for $936 million. Kape Technologies previously bought VPN companies ZenMate and Cyberghost. 

ZDNet Recommends More

British food producer KP Snacks was hit with a ransomware attack last week.In a statement to ZDNet, the company said it discovered the ransomware attack on Friday, January 28. 

“As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation,” a company spokesperson said. “Our internal IT teams continue to work with third-party experts to assess the situation. We have been continuing to keep our colleagues, customers, and suppliers informed of any developments and apologize for any disruption this may have caused.”The company has more than 2,000 employees and brings in over $630 million annual revenue. The company would not confirm who launched the attack, but the Conti ransomware group added KP Snacks to its victim leak site, threatening to leak information stolen from them on February 6. Better Retailing reported that store owners received messages notifying them of the ransomware attack and saying they “cannot safely process orders or dispatch goods.” The note added that stores should “expect supply issues on base stock and promotions until further notice.”

Also: QNAP users still struggling with Deadbolt ransomware after forced firmware updatesThe outlet said the company has already told sellers that “no orders will be being placed or delivered for a couple of weeks at least, and service could be effected until the end of March at the earliest.”Order caps will be introduced so that KP Snacks can distribute the stock remaining in their warehouses. The company produces McCoys’s, Hula Hoops, Tyrell’s, Space Raiders, Skips, Butterkist, Pom-Bears, Nik-Naks, KP nuts and many other popular candies.BleepingComputer spoke with an unnamed source that said employee files and financial records were accessed during the ransomware attack.Both CISA and the FBI released a warning in September reporting that they have seen more than 400 attacks involving Conti’s ransomware targeting US organizations as well as international enterprises. The FBI has previously implicated Conti in attacks on at least 290 organizations in the US.  Conti made a name for itself after attacking hundreds of healthcare institutions — including a debilitating ransomware attack on Ireland’s Health Service Executive on May 14 — as well as schools like the University of Utah and other government organizations like the city government of Tulsa, Oklahoma and the Scottish Environment Protection Agency. They attacked digital photography company Shutterfly in late December. In December, researchers with security firm Advanced Intelligence discovered the Conti ransomware group exploiting VMware vCenter Server instances through the Log4j vulnerabilities. They noted that their research of ransomware logs shows Conti made over $150 million in the last six months.”Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting the US and European victim networks from the pre-existent Cobalt Strike sessions,” the researchers said. More

At the beginning of 2022, Zero Trust faces a bizarre dichotomy: It’s on the verge of becoming the de facto cybersecurity approach while simultaneously having many security practitioners decry it as “just a marketing ploy.” How did we, as the security community, arrive at such a precarious perch? Part of the problem, according to John Kindervag, former Forrester analyst and author of the original Zero Trust research, was that the trilogy of Zero Trust papers remained largely behind the Forrester paywall. For over a decade, only Forrester clients and every security vendor in the world had access. The hype train left the station, with those vendors shaping the Zero Trust narrative from their highly subjective perspective. Nonclients and the greater cybersecurity community only saw Zero Trust through the stained-glass windows of vendor marketing. Forrester’s research advanced the Zero Trust concept from network-focused to an integrated, dynamic ecosystem of security capabilities and technologies with the introduction of Zero Trust Extended (ZTX). But analysts are not necessarily marketers, and the research lacked a clear, concise, shareable definition our clients and the larger community could use as a stake in the ground. Today, we correct both of these issues with the release of a report titled, “The Definition Of Modern Zero Trust.” Well, yes, that report is behind the paywall, but we’re including its definition here, on the outside, for everyone. Zero Trust defined Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default, least privilege access is enforced, and comprehensive security monitoring is implemented. Notice that the last sentence is the three original Zero Trust principles stated together. Here are the salient points in bullet form: Default deny Access by policy only For data, workloads, users, devices Least privilege access Security monitoring Risk-based verification 

The good news for everyone is that this definition is not divergent from NIST’s definition in SP 800-207. The two definitions explain the same concept, using the same principles and often the same words. What about Zero Trust Architecture or Zero Trust Strategy? The broad theme of Zero Trust is the reduction of implicit trust. As a model for information security, Zero Trust translates to network and security architecture. See NIST SP 800-207, Zero Trust Architectures, as the most relevant example. Some advocates of Zero Trust say that it should also be a strategy that works as well; consider replacing the phrase “Zero Trust strategy” with “a strategy to reduce implicit trust throughout our enterprise” in your mind. So, what isn’t Zero Trust? To better help security leaders and pros communicate the benefits of Zero Trust adoption, our report provides more clarity on what it isn’t. One key point is that it isn’t a security awareness and training strategy. In fact, there’s no need for the vast majority of end users in an organization to have any familiarity with this concept at all. Pushing Zero Trust concepts to end users will likely backfire from an awareness and training perspective as the perception of having “zero trust” implies a lack of trust in employees. Organizations that have adopted the Zero Trust model see trust as fundamental to creating a positive, low-friction work culture for employees and invest in initiatives to empower the firm at all levels to differentiate with trust. Go Forth And Convert The Deniers One more time for those in the back: Zero Trust is an information security model, one that can be worked toward but without an ultimate end state. This post was written by Senior Research Analyst David Holmes and it originally appeared here. 

ZDNet Recommends More

An internal report from the Federal Office for Information Security (BSI) said the BlackCat ransomware group was behind the recent cyberattack on two German oil companies that is affecting hundreds of gas stations across northern Germany. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

German newspaper Handelsblatt managed to obtain the internal report that said Oiltanking’s “systems were compromised by the BlackCat ransomware through a previously unknown gateway.”Claudia Wagner, head of communications for Oiltanking GmbH, would not confirm that BlackCat was behind the attack but said they discovered the initial cyber incident on Saturday, January 29th. “Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes and launched an investigation into the matter. We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident. We are undertaking a thorough investigation, together with external specialists and are collaborating closely with the relevant authorities. All terminals continue to operate safely.”Oiltanking Deutschland GmbH & Co. KG terminals are operating with limited capacity and have declared force majeure. Mabanaft Deutschland GmbH & Co. KG has also declared force majeure for the majority of its inland supply activities in Germany. All parties continue to work to restore operations to normal in all our terminals as soon as possible.”On Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue. Handelsblatt said 233 gas stations across Germany now have to run some processes manually because of the attack. Also: Apple, SonicWall, Internet Explorer vulnerabilities added to CISA list

Last year, US oil giant Colonial Pipeline dealt with a devastating ransomware attack that crippled its business services and left significant parts of the East Coast without access to gas for less than a week. The Darkside ransomware group was eventually named as the culprit, and some experts believe the group has rebranded multiple times to dodge law enforcement scrutiny. Emsisoft threat analyst Brett Callow said there are links tying Darkside to another ransomware group — BlackMatter — which made a name for itself last summer and fall by attacking agricultural organizations. “It’s likely that BlackCat — or ALPHV — is a rebrand of BlackMatter, which was itself a rebrand of Darkside,” Callow said. “Intel suggests that the individuals behind the operation fired their devs after the blunder which cost them — and their affiliates — multiple millions. New devs were recruited and they were responsible for the development of BlackCat.”Last week Palo Alto Networks’ Unit 42 released a deep-dive into the BlackCat ransomware, which emerged in mid-November 2021 as an innovative ransomware-as-a-service (RaaS) group leveraging the Rust programming language and offering affiliates 80-90% of ransom payments.BlackCat has been seen targeting both Windows and Linux systems, according to Unit 42, which added that it has observed affiliates asking for ransom amounts of up to $14 million. In some instances, affiliates have offered discounts of $9 million if the ransom is paid before the established time. They allow ransom to be paid in Bitcoin and Monero.Unit 42 found that at least 16.7% of the groups’ victims were based in Germany. Last week, Italian fashion brand Moncler was revealed to be a BlackCat victim from December. 
Unit 42
The incident with Oiltanking follows another cyberattack on billion-dollar German logistics firm Hellmann Worldwide Logistics that took place in December. James Carder, chief security officer at LogRhythm, said the attack on Oiltanking is a perfect example of how cyberattacks can go beyond just the targeted entity and disrupt the larger supply chain. “In this case, the oil distributor supplies fuel to 26 companies in Germany, including Shell, which operates over 1,900 gas stations in the country,” Carder said. “While the supply of fuel has not been affected in the attack, impact remains consequential with IT systems responsible for the automation of tank loading and unloading processes, something that cannot be done manually, being forced offline for the time being. The 13 tank farms that Oiltanking operates cannot currently serve trucks, so the firm has turned to alternative methods. The economic impact of cyberattacks affecting the greater supply chain can prove to be extremely detrimental.” More

Researchers have discovered a new malware family targeting cloud services to mine cryptocurrency.

Dubbed CoinStomp, the malware is compromised of shell scripts that “attempt to exploit cloud compute instances hosted by cloud service providers for the purpose of mining cryptocurrency,” according to Cado Security. The firm’s researchers say that the overall purpose of CoinStomp is to quietly compromise instances in order to harness computing power to illicit mine for cryptocurrency, a form of attack known as cryptojacking. A number of attack attempts have been focused, so far, on cloud service providers in Asia. Clues in code also referenced Xanthe, a cryptojacking threat group recently tied to the Abcbot botnet. However, the clue — found in a defunct payload URL — is not enough to firmly establish who is responsible for CoinStomp and may have been included in “an attempt to foil attribution,” according to the team.  CoinStomp has a number of interesting capabilities. One is its reliance on “timestomping” — the manipulation of timestamps by running the touch — command on Linux systems to update file modification and access times.  “It seems likely that timestomping was employed to obfuscate usage of the chmod and chattr utilities, as forensic tools would display the copied versions of these binaries as being last accessed (executed) at the timestamp used in the touch command,” Cado Security noted. 

In addition, the malware will attempt to tamper with Linux server cryptographic policies. These policies can prevent malicious executables from being dropped or executed, and so CoinStomp’s developer has included features to disable system-wide cryptographic policies through a kill command.  “This could undo attempts to harden the target machine by administrators, ensuring that the malware achieves its objectives,” the researchers say. CoinStomp will then establish a connection to its command-and-control (C2) server via a reverse shell. The script then downloads and executes further payloads as system-wide systemd services, complete with root privileges. These include binaries to potentially create backdoors and a custom version of XMRig, legitimate Monero mining software abused for criminal purposes. “CoinStomp demonstrates the sophistication and knowledge of attackers in the cloud security space,” Cado Security says. “Employing anti-forensics techniques and weakening the target machine by removing cryptographic policies demonstrates not only a knowledge of Linux security measures but also an understanding of the incident response process.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Arid Viper cyberattack group is back with a new campaign targeting Palestinian organizations and activists. 

The advanced persistent threat (APT) group, believed to be located in Gaza — an area of conflict and hotbed of tension between Israel and Palestine — attacks organizations worldwide but now currently appears to be focused on entities related to Palestine’s politics. Arid Viper, also known as Desert Falcon, Two-tailed Scorpion, or APT C-23, has been around since at least 2015. In the past, the group has been responsible for spear phishing attacks against Palestinian law enforcement, the military, educational establishments, and the Israel Security Agency (ISA).  Windows and Android malware have been utilized previously, the latter of which is spread through fake app stores. Delphi malware, however, has featured heavily in previous campaigns and still seems to be the weapon of choice for Arid Viper. On Wednesday, researchers from Cisco Talos said the ongoing campaign uses a Delphi-based Micropsia implant to strike activists.  “The most recent samples found by Talos lead us to believe this is a campaign linked to the previous campaign we reported on in 2017,” the researchers say, adding that the main focus of Arid Viper is on cyberespionage — and targets are selected by the operators based on the political motivation of the “liberation of Palestine.” The initial attack vector is phishing emails, with included content linked to the Palestinian political situation and usually stolen from news agencies. For example, one decoy document was related to Palestinian family reunification, published in 2021, whereas another contained a record of activist questions. 

If an intended victim opens one of these documents, the implant triggers, extracting a range of Remote Access Trojan (RAT) capabilities. The malware will collect operating system and antivirus data, exfiltrate it to the operator’s command-and-control (C2) server, steal content on the machine, take screenshots, and conduct further surveillance activities.  A timer contained in the implant will also establish persistence on the target machine through the Startup folder. “The continued use of the same TTPs over the past four years indicates that the group doesn’t feel affected by the public exposure of its campaigns and implants and continues to operate business as usual,” Talos says. “This complete lack of deterrence makes them a dangerous group once they decide to target an organization or individual.” In related news this week, Talos and Cybereason disclosed three separate APT campaigns believed to be the work of state-backed Iranian cybercriminals. MuddyWater, Phosphorus, and Moses Staff are targeting entities in Turkey, the US, Israel, Europe, and the Middle East.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft’s Defender for Endpoint support for spotting known security flaws in Android and iOS devices has now reached general availability.   The threat and vulnerability management features allows admins to monitor for known but unpatched bugs in Android and installed apps, while the feature can spot bugs in iOS, though not yet in installed apps, Microsoft notes in a blogpost. 

ZDNet Recommends

Microsoft’s Defender for Endpoint, formerly Defender Advanced Threat Protection, helps admins protect managed company-issued mobile devices and unmanaged BYO devices. SEE: A winning strategy for cybersecurity (ZDNet special report)The mobile threat and vulnerability is part of Defender for Endpoint mobile threat defense (MTD), which can monitor for malware, jailbroken iPhones, and help implement conditional access to corporate resources. The vulnerability management capabilities are richer for Android devices since it can run vulnerability assessments of Android OS versions of onboarded devices, as well as assess apps that are installed on these devices. For Android Enterprise with a work profile, only apps installed on the work profile are supported for the assessment. For other BYOD modes, vulnerability assessment of apps are not available. The vulnerability assessment is available for onboarded iOS and iPadOS versions on devices. The assessment of apps on iOS devices will be available in a later release, according to Microsoft.  

This mobile capability builds on Defender for Endpoint’s vulnerability assessments for network devices, such as Cisco IOS, IOS-XE, NX-OS, as well as Juniper’s JUNOS, HPE’s ArubaOS, and Palo Alto Networks’ PAN-OS.  Microsoft has also beefed up Defender for Endpoint capabilities to discover unmanaged mobile devices, PCs and network devices that connect to the corporate network.   Defender for Endpoint MTD vulnerability assessments in Microsoft 365 Defender offer security teams a device inventory that shows an overview of each device’s name, risk level, exposure level, OS, active status and onboarding status.  The vulnerability management dashboard gives an overall exposure score for specific vulnerabilities and recommended actions.  More