Information Technology

Cybercriminals are hijacking the devices of civil rights activists and planting “incriminating evidence” in covert cyberattacks, researchers warn.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

According to SentinelLabs, an advanced persistent threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India. The APT is thought to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continually and persistently targeted specific, high-profile people of interest.  However, rather than focusing on data theft, the APT’s activities are far more sinister: once inside a victim’s machine, the group conducts surveillance and may plant incriminating files later used to prosecute individuals. “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ — files that incriminate the target in specific crimes — prior to conveniently coordinated arrests,” the researchers say. SentinelLabs has identified “hundreds of groups and individuals” targeted by the APT. ModifiedElephant starts an infection chain with spear-phishing emails. These emails contain documents laden with malware, including the NetWire and DarkComet remote access trojans (RATs), as well as keyloggers and an Android Trojan. 

SentinelLabs has connected the dots between previously unattributable attacks and says that while ModifiedElephant has operated under the radar for so long, there is an “observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.” While the malware used by the threat actors is considered “mundane” and not particularly sophisticated, a number of the APT’s victims have also been targeted with NSO Group’s Pegasus surveillanceware, the subject of an explosive investigation by Amnesty International, Forbidden Stories, and various media outlets in 2021. While attribution isn’t concrete, the team says that ModifiedElephant activity “aligns sharply with Indian state interests.”  “Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” SentinelLabs cautioned. “A threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Spanish law enforcement has arrested eight people suspected of running a SIM-swapping ring. 

SIM-swapping attacks, also known as SIM hijacking, occur when criminals attempt to take over your phone number. As our mobiles are now central hubs used in second-stage account verification, including through two-factor authentication (2FA) text messages or apps, being able to dupe carriers into handing over control means that victims may lose access to their online accounts and services.  SIM-swaps usually lead to the theft of funds from bank accounts and cryptocurrency wallets. Last year, a UK national was indicted by US law enforcement for allegedly performing a SIM-swap to steal $784,000 in cryptocurrency, and as one of our own writers experienced, funds can be stolen to make cryptocurrency purchases that are then sent to attacker-controlled wallets.  So-called ‘porting’ of a phone number occurs when a criminal uses stolen information and social engineering to pretend to be a carrier’s customer and makes the request for a number transfer or for a duplicate SIM to be sent out. Even if a victim quickly realizes something is wrong, a short time window is all that is needed to cause serious damage.In the case investigated by Spain’s National Police, eight suspects allegedly used phishing texts, emails, and instant messages to masquerade as banks. Victims would then hand over their sensitive, personal data and bank details, providing the information required for social engineering attempts.  Now armed with this information, the suspects reportedly contacted carriers and requested duplicate SIM cards for their victims’ phone numbers. 

SIM-swap attacks would then be performed, in which the telephone numbers linked to the bank accounts would, for a time, be under the criminal’s control. It was then possible for the cybercriminals to intercept the 2FA codes sent by the victim’s bank to access their accounts and conduct fraudulent transactions. The police say that the suspects also “falsified official documents.” In particular, photocopies of Documento nacional de identidad (DNI) identity cards were shown to staff, in which photographs were manipulated to make the fraudster appear to be the legitimate handset owner.  The eight individuals, seven located in Barcelona and one in Seville, are being detained. According to the National Police, law enforcement first caught wind of the scheme in March 2021, when complaints were made relating to fraudulent bank transfers.  “Although the initial steps took place in remote places, the investigations led the investigators to the province of Barcelona, where those now detained laundered the defrauded money operating through bank transfers and digital instant payment platforms,” officers said.  In February, the Federal Bureau of Investigation (FBI) warned that SIM-swapping attack rates are increasing.  According to the law enforcement agency, from January 2018 to December 2020, 320 SIM-swapping attack complaints were recorded, with losses reaching roughly $12 million. In 2021 alone, 1,611 SIM-swapping complaints were made with estimated damages of at least $68 million.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netflix’s new title, The Tinder Swindler, is a wild ride. 

The show examines how an alleged fraudster impacted the lives of multiple women, matching with them on Tinder and treating them to expensive dates to gain their trust and eventually ask for huge sums of money. While you may watch the show and wonder how someone – no matter their gender – could allow themselves to be swindled out of their savings, romance scams are common, breaking hearts and wiping bank balances around the world every day.   We’ve moved on from the days of ‘lonely hearts’ columns to dating apps — and they are also popular channels to conduct fraud.Fake profiles, stolen photos and videos, and sob stories from fraudsters pretending to business troubles, their car has broken down, they can’t afford to meet a match, or in The Tinder Swindler’s case, their ‘enemies’ are after them – are all weapons designed to secure interest and sympathy.  Schemes can also be far more subtle than direct requests for money. In past cases, users have been lured into explicit webcam sessions with a match and then blackmailed, and in others, dating apps and social media networks are used as conduits to tout cryptocurrency and financial scams.  According to the US Federal Trade Commission (FTC), romance-based fraud and scams have reached a “record” high, with $547 million in losses reported in 2021 in the United States alone. 

Data collected by the US watchdog over the past five years reveals reported losses were up almost 80% last year in comparison to 2020 and overall, the trend continues to surge upward.
FTC
In total, consumers have lost at least $1.3 billion. The average victim will lose $2,400, but this rate can be both lower – and far higher.  Another trend of note is that romance scam artists are cashing in on cryptocurrency.  This is how it works: a fake love interest will talk to their victim for long enough to gain their trust and then will offer them a lucrative and time-sensitive business opportunity: if you invest in this cryptocurrency exchange or financial product, you will have X in returns. The problem is that funds sent to a wallet owned by the fraudster will never be legitimately invested or returned, or a victim may be lured into downloading a fake cryptocurrency trading app, leading to the theft of their funds and sensitive data.  The FTC says that median losses for consumers in cryptocurrency scams are close to $10,000.  “The largest reported losses to romance scams were paid in cryptocurrency: $139 million last year alone,” the FTC says. “That’s a remarkable growth in cryptocurrency payments to romance scammers: 2021 numbers are nearly five times those reported in 2020, and more than 25 times those reported in 2019.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Miguel Sotomayor/Getty Images
Foreign spies are increasingly approaching Australians on social media and even dating sites, according to Mike Burgess, director-general of the Australian Security and Intelligence Organisation (ASIO).”Spies are adept at using the internet for their recruitment efforts,” he said in his third annual threat assessment speech on Wednesday night.Burgess said spies make “seemingly innocuous approaches” such as job offers on “any of the popular social media or internet platforms”.”This then progresses to direct messaging on different, encrypted platforms, or in-person meetings, before a recruitment pitch is made,” he said.During the COVID-19 pandemic, these approaches shifted from professional networking sites — he means LinkedIn — to more personal messaging platforms, such as WhatsApp.”ASIO is also tracking suspicious approaches on dating platforms such as Tinder, Bumble, and Hinge,” Burgess said.”My message for any potential victims on these sites is a familiar one: If it seems too good to be true, it probably is.”

This message was reinforced, albeit clumsily, by Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security.”If you’re a six and they’re a 10, it might not be your looks that they’ve been charmed by. It might be your access to classified information,” Paterson said.Minors radicalised online are getting younger and more intenseThe pandemic also sent online radicalisation attempts “into overdrive”, Burgess said, with the extra time spent online by isolated individuals serving as the foundation for the uptick.”Social media platforms, chat rooms, and algorithms are designed to join up people who share the same views, and push them material they will ‘like’. It’s like being in an echo chamber where the echo gets louder and louder, generating cycles of exposure and reinforcement,” the ASIO director-general said.”More time in those online environments — without some of the circuit breakers of everyday life, like family and community engagement, school and work — created more extremists. And in some cases, it accelerated extremists’ progression on the radicalisation pathway towards violence.”According to the agency’s statistics, this trend towards spending more time online has seen the number of young Australians being radicalised continue to rise. The number of minors becoming the subject of new counter-terrorism investigations has risen from 2-3% “a few years ago” to around 15%. It’s also led to the age of minors being radicalised dropping lower.   “Children as young as 13 are now embracing extremism … and unlike past experience, many of these young people do not come from families where a parent or sibling already holds extreme views,” Burgess said. With the increase of radicalised minors, minors are also taking on larger roles in extremist groups in both online and face-to-face environments.”Where once minors tended to be on the fringe of extremist groups, we are now seeing teenagers in leadership positions, directing adults, and willing to take violent action themselves,” Burgess said.”We have seen cases involving young, radicalised violent extremists systematically targeting vulnerable associates who were lonely or going through tough times.”According to Burgess, minors now make up more than half of ASIO’s priority counter-terrorism investigations each week and some of them are preying on other minors through “grooming techniques similar to those used by paedophiles”. “The tactics used by the extremists in these cases involved a combination of attention, flattery and friendship, which shifted to bullying and manipulation. We’ve seen young ringleaders deliberately desensitise their targets, gradually exposing them to more extreme and more violent propaganda, until the most graphic material imaginable was normalised,” Burgess said.These comments echo figures from the UK published in November last year, when pandemic lockdowns and extended time spent out of school led to a rise in extremist views and conspiracy theories among pupils.The Guardian reported that of the teachers surveyed by the UCL Institute of Education, “95% had heard pupils express racist views, 90% had encountered homophobia or conspiracy theories, and nearly three-quarters had encountered extremist views on women or Islamophobic views”.The charity Hope Not Hate was reported to be seeing “younger students becoming involved in far-right extremism, including boys as young as 13, often using the Telegram messaging app”.Burgess rejects ‘the Borg defence’ in cybersecurity”Good security is achievable, and good security works,” Burgess said.He finds it “infuriating” when companies say their adversaries are so powerful that there are no ways to defend against them.”That’s what I call the Borg defence — ‘resistance is futile’. In my experience, resistance is rarely futile,” he said. “Certainly, in the cyber field, the overwhelming majority of compromises are foreseeable and avoidable.”Burgess also called out the media for what they “breathlessly called ‘cyber attacks'”.”[They] are not compromises at all — they are reconnaissance missions. If the digital doors are locked, the intruder moves on and tries somewhere else.”Tantalising details of ASIO counter-intelligence operationsBurgess also detailed in his speech two cases which, while outside ZDNet’s normal remit, are worth mentioning for context. In one, ASIO “ painstakingly mapped out a foreign intelligence service’s onshore network of sources and contacts” and then picked it apart.”Australians who were targeted by the foreign intelligence service included current and former high-ranking government officials, academics, members of think tanks, business executives, and members of a diaspora community,” Burgess said.In the other, “a wealthy individual who maintained direct and deep connections with a foreign government and its intelligence agencies” was attempting to set up a political interference operation.This operation identified candidates who were likely to run in that election — the election in question wasn’t revealed — before proceeding to plot ways of advancing the candidates’ political prospects.”The aim was not just to get the candidates into positions of power, but also to generate a sense of appreciation, obligation and indebtedness that could subsequently be exploited,” Burgess said.”The political candidates had no knowledge of the plot. Even if the plan had proceeded, they would not have known who was pulling the strings.”The ABC has subsequently reported that “intelligence sources familiar with the matter” said the operation was “orchestrated by Russia”, with the wealthy individual in question being “linked to Russian spy agencies and President Vladimir Putin’s regime”.However, the Nine news outlets are reporting that “a Chinese intelligence service was behind the plot and that it involved NSW Labor,” citing their own unnamed “multiple security sources”.Related Coverage More

Image: Google
France’s privacy regulator has found instances where using Google Analytics is not compliant with the European Union’s General Data Protection Regulation (GDPR). Through an investigation into unnamed local website’s data practices, the Commission nationale de l’informatique et des libertés (CNIL) found that the website’s use of Google Analytics was in violation of the GDPR. The French regulator said using the tool breached Article 44, which bans personal data transfers from within the bloc to “third-party countries” that do not have equivalent privacy protections in place. Among the countries that fail to meet this threshold is the US as it does not provide non-US citizens with the means to know how their data is acquired or used. US laws also do not provide non-US citizens with the ability for recourse when their data is misused.   The regulator’s investigation into the unnamed local website was done in conjunction with looking into 100 other complaints that were filed to privacy advocacy group Noyb shortly after the European Court of Justice struck down the EU-US Privacy Shield agreement in 2020. The complaints were filed to Noyb, whose founder, Max Schrems, was the one who initiated proceedings to invalidate the Privacy Shield agreement. With this finding, the CNIL has ordered the unnamed local website to comply with the GDPR. In doling out this order, the regulator said, if necessary, the website would have to stop using Google Analytics under the current conditions. The website will have one month to comply with the order.

“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,” CNIL said in a statement. “There is therefore a risk for French website users who use this service and whose data is exported.” The CNIL clarified, however, that there may be some instances where use of Google Analytics does meet GDPR requirements such as ensuring the tool is only used to produce anonymous statistical data. CNIL explained that using Google Analytics in this way would create a consent exemption so long as the data is not transferred illegally. In addition to issuing the order, CNIL said it would launch an evaluation to determine which audience measurement and ad tools are exempt from consent. The French GDPR interpretation follows Google urging lawmakers in the US and Europe to establish new rules for a secure data transfer framework last month. In expressing its concern, Google called for more transparency on how to interpret the GDPR, with its global affairs president Kent Walker claiming the lack of a data transfer framework would lead to a lack of legal stability. Other US tech giants, like Meta, have similarly not taken favourably to the lack of an EU-US data transfer framework. In light of the current lack of one, Meta “threatened” to pull its services out of Europe in its annual filing to the US Securities Exchange Commission. The tech giant subsequently walked back on its comments, however, after the “threat” made headlines on various outlets and received criticism from European politicians. “Meta is not wanting or ‘threatening’ to leave Europe and any reporting that implies we do is simply not true. Much like 70 other EU and US companies, we are identifying a business risk resulting from uncertainty around international data transfers,” said Markus Reinisch, Meta Europe public policy VP. Related Coverage More

Moxa users are being urged to upgrade MXview to version 3.2.4 or higher to remediate five vulnerabilities discovered by Claroty’s Team82.The issues affect the Taiwanese company’s MXview web-based network management system versions 3.x to 3.2.2 and collectively, ICS-CERT scored the vulnerabilities a 10.0, its highest criticality score.According to Team82, an unauthenticated attacker successfully chaining two or more of these vulnerabilities could achieve remote code execution on any unpatched MXview server. The US Cybersecurity and Infrastructure Security Agency (CISA) released an ICS advisory for the vulnerabilities in October, noting that successful exploitation of these vulnerabilities “may allow an attacker to create or overwrite critical files to execute code, gain access to the program, obtain credentials, disable the software, read and modify otherwise inaccessible data, allow remote connections to internal communication channels, or interact and use MQTT remotely.”The web-based network management system was designed for monitoring and managing Moxa-based devices. Team 82 disclosed five vulnerabilities (CVE-2021-38452, CVE-2021-38456, CVE-2021-38460, CVE-2021-38458 and CVE-2021-38454) in the MXView platform. The company also provided a proof of concept showing how an attack would work. Bugcrowd CTO Casey Ellis said it is “an impactful set of vulnerabilities.” “Command injection via MQTT is an interesting and seldom discussed technique, and only goes to demonstrate the increasing complexity of the input vectors any given application may have,” Ellis said. “Proper sanitization is important everywhere, not just on real-time inputs which are exposed directly to users.”

Moxa’s MXview is a significant player in the ICS and overall IoT market with their focus on converged networks — few network management vendors focus on this space — and therefore the significance of these vulnerabilities is high, according to Viakoo CEO Bud Broomhead.Broomhead added that with manufacturing and line-of-business organizations using them, not all their end users will have the IT resources or knowledge to quickly remediate these vulnerabilities — making the high severity vulnerabilities that much more dangerous. “These vulnerabilities, without question, will have a major impact. All 5 vulnerabilities have a 10/10 severity score, and because they are focused on converged networks it increases the likelihood of threat actors exploiting them in order to move laterally into corporate networks,” Broomhead told ZDNet.  “In addition, these vulnerabilities enable privilege management exploits; vulnerabilities in privilege management almost always will be viewed as a high level risk, especially given the damage that cyber criminals with root-level privileges can do such as placing malware, controlling critical infrastructure, or covering the tracks of a threat actor.”  More

Victims of ransomware spent nearly $700 million paying off their attackers in 2020, according to a new report from blockchain analysis firm Chainalysis. 

In the company’s last report, they pegged the figure at around $350 million, but increased the figure “due to both underreporting by ransomware victims and our continuing identification of ransomware addresses that have received previous victim payments.”Right now, the latest figures show more than $692 million was spent on ransomware payments in 2020. For 2021, they have already tracked over $602 million worth of ransomware payments but noted that like 2020, it is an underestimate.”In fact, despite these numbers, anecdotal evidence, plus the fact that ransomware revenue in the first half of 2021 exceeded that of the first half of 2020, suggests to us that 2021 will eventually be revealed to have been an even bigger year for ransomware,” Chainalysis said. The report also listed the most prolific ransomware groups by total payments received, finding that Conti led the way with at least $180 million made from ransoms. 
Chainalysis
The report notes that conversely, law enforcement agencies have made some headway in getting ransoms back, giving organizations even more incentive to report attacks. Unfortunately, 2021 also saw more active individual ransomware strains than any other year on record, according to the blockchain research organization. Their data shows that at least 140 ransomware strains received payments from victims at some point in 2021. The number was 119 in 2020 and 79 in 2019. 

The researchers added that more than ever, groups were also shutting down and restarting under new names, providing one explanation for the increase in ransomware strains. The average number of days a ransomware strain stayed active in 2021 was 60, far lower than the 168 days in 2020 and 378 in 2019. Chainalysis claimed one criminal group — Evil Corp — had some amount of ties to the Doppelpaymer, Bitpaymer, WastedLocker, Hades, Phoenix Cryptolocker, Grief, Macaw, and PayloadBIN ransomware strains. The researchers were able to tie some of the ransomware groups based on their cryptocurrency transaction histories.The company estimates that Evil Corp made at least $85 million from its various ransomware strains. 

ZDNet Recommends

Now that more ransomware groups are targeting larger, more profitable organizations, the average ransomware payment size increased to over $118,000 in 2021, up from $88,000 in 2020 and $25,000 in 2019, according to the company’s data. Most ransomware groups appear to send their ransoms to centralized exchanges or mixers as a way to launder their stolen funds. Chainalysis said more than half of the funds sent from ransomware addresses since 2020 have wound up at one of six cryptocurrency businesses: three large international exchanges, one high-risk exchange based in Russia, and two mixing services.Chainalysis also included a rundown of their involvement in the investigation of the ransomware attack on Colonial Pipeline last May. The company helped the FBI track the 75 bitcoin Colonial Pipeline paid to DarkSide, and eventually the Justice Department was able to claw back about $2.3 million of the ransom. The address that initially received the ransom transferred it to accounts controlled by DarkSide’s administrators, who then sent 63.7 bitcoin to the affiliate who led the attack. The affiliate had previously received payments from addresses associated with NetWalker, another ransomware strain disrupted by law enforcement in January 2021.That affiliate received 595.3 bitcoin in four different chunks from the NetWalker administrator in late May and early June of 2020.”After tracking the funds to the affiliate’s address, FBI investigators were able to seize the funds on May 28, 2021,” the researchers said. “The seizure represents a huge step forward in the fight against ransomware, and especially ransomware strains that attack our critical infrastructure.” More

Network security and content delivery network provider Cloudflare this afternoon reported Q4 revenue that topped expectations and profit that narrowly beat Wall Street’s forecast. Revenue in Q4 rose 54%, year over year, to $193.6 million, yielding an EPS of $0.00. Analysts had been modeling $184.7 million and and a loss per share of -$0.01.

The report sent Cloudflare shares up nearly 7% in late trading. For the full year, the company saw a revenue of $656.4 million, a 52% year-over-year increase, and a non-GAAP net loss of $15.1 million.”The full year represented a 52% year-over-year increase in revenue growth and a 71% year-over-year increase in large customer growth. It was also the fifth straight year we achieved 50%, or greater, compounded growth,” said Matthew Prince, co-founder and CEO of Cloudflare. “Our continued success is fueled by a culture of relentless innovation on top of a highly scalable platform. That’s why we’re uniquely positioned to extend our network, introduce new Zero Trust capabilities, and grow our total addressable market. We’ve never been more motivated to take on this huge opportunity as corporate networks transition to the cloud, and developers line-up to build on our edge.”

In Q1, Cloudflare expects a revenue between $205 million and $206 million as well as a non-GAAP net income per share of $0.00 to $0.01. In fiscal 2022, the company is aiming for a revenue between $927 million and $931 million. They predicted a non-GAAP net income per share between $0.03 and $0.04. The company also announced on Thursday that it is acquiring security company Vectrix for an undisclosed sum. 

Tech Earnings More