Information Technology

Image: Asha Barbaschow/ZDNet
Telstra said on Thursday it was introducing a flag to note when a mobile number was recently ported, in an effort to make SIM swapping attacks harder and prevent one-time codes sent via SMS being received by malicious actors. “A recent SIM swap or port out on a user’s mobile number might indicate that the person who has access to that mobile service and is receiving one-time codes, might not actually be who they say they are,” Telstra consumer and small business group executive Michael Ackland said in a blog post. “When a request is made to us by a banking organisation we’ll provide a rating (in the form of a number on a risk scale) which gives an indication of whether there has been any recent SIM swaps or port out activity for the mobile service you’re using as a form of identity with that organisation.” Ackland said if a flag is raised, it does not mean a transaction is automatically terminated, but that the bank needs to find out more information before proceeding. Telstra said it was also looking at using fraud-detection technology in retail, insurance, transport, social networking, and online gaming sectors. At the same time, the telco said it was introducing facial recognition and a PIN to its MyTelstra app to sit alongside its multi-factor authentication. “Telstra has strong authentication processes but we have still seen some fraudsters get enough personal and account information from customers and persuaded them to give up their one-time codes in order to pass authentication,” Ackland said.

“From there, they can access other accounts including bank accounts, superannuation accounts, and investment or crypto currency wallets. This is where we want to intervene to help stop this train of fraud in its tracks.” Earlier on Thursday, Telstra restated its 2021 fiscal results to break out InfraCo Fixed and the Amplitel business previously known as InfraCo Towers. Taking on NBN payments, intercompany infrastructure revenue, as well as some passive wholesale and intercompany operation and maintenance costs saw InfraCo Fixed book AU$1.67 billion in earnings before interest, tax, depreciation, and amortisation (EBITDA), making it the second highest earning division behind mobile, which lost AU$350 million to restate its EBITDA at just shy of AU$3.3 billion. Amplitel booked AU$300 million in EBITDA, which consisted of the same products as InfraCo Fixed minus the NBN payments. Of the other divisions, consumer and small business fixed lost AU$134 million to restate EBITDA at AU$139 million, enterprise fixed saw AU$242 million disappear to come in at AU$645 million, while active wholesale fixed had EBITDA smashed from AU$621 million and restated at AU$231 million. The international segment was untouched and remained at AU$336 million. In June, the telco sold 49% of the tower business that would become Amplitel for AU$2.8 billion. Related Coverage More

NSO
The University of Toronto’s Citizen Lab along with Access Now have found the Pegasus spyware developed by the now-sanctioned NSO Group was used to target journalists and non-government organisations operating in El Salvador. In total, the investigation found 35 individuals were targeted across 37 devices, with Citizen Lab having a high degree of confidence that data was exfiltrated from devices belonging to 16 targets. “In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully from target phones using their mobile data connections,” Citizen Lab said in a blog post. “We observed extensive targeting using zero-click exploits, however we also identified specific instances in which targets were sent one-click infection links via SMS message.” One of the zero-click exploits was the same iMessage Kismet exploit sold by NSO Group to target Al Jazeera employees, which was patched in iOS 14, and the other was ForcedEntry, which led to Apple notifying users they could have been the target of state-sponsored hacking. Many of the Salvadorian targets received such notifications, Citizen Lab said. “The Kismet exploit has not yet been publicly captured and analyzed, but appeared to involve the use of JPEG attachments, as well as iMessage’s IMTranscoderAgent process invoking a WebKit instance,” Citizen Lab said.”Additionally, we recovered a copy of the ForcedEntry exploit from one of the phones. The exploit appears to have been fired at a phone with iOS 14.8.1, which is not vulnerable to ForcedEntry. The exploit does not appear to have run on the phone.

“It is unclear why the exploit was fired at a non-vulnerable iOS version, though it is possible that NSO operators cannot always determine the precise iOS version used by the target before firing an exploit.” See also: NSO spyware used to hack Polish politicians, Khashoggi’s wife, others Apple is currently suing NSO Group over its use of Pegasus and seeking a permanent injunction that bans NSO Group from using any Apple software, services, or devices. Citizen Lab stopped short of pointing the finger at the El Salvador government and President Nayib Bukele, but said there was a “range of circumstantial evidence pointing to a strong El Salvador government nexus”. Backing up this claim, Citizen Lab said the targets were working on sensitive domestic issues surrounding the government, such as El Faro reporting Bukele’s administration was negotiating with leaders of gang MS-13 to reduce homicides in the country, prison privileges. and “long-term pledges tied to the results of congressional elections in 2021”. Citizen Lab also said the operator had a “near-total focus of infections” within the country. “Through our ongoing Internet scanning and DNS cache probing, we identified a Pegasus operator focusing almost exclusively within El Salvador,” Citizen Lab said. “We first observed this operator in early 2020, though the domain names associated with the operator appear to have been registered as early as November 2019.” Citizen Lab said if Pegasus was sold into El Salvador, it was done despite warning signs that abuse would have take place including: An autocratic-leaning President with a fascination with digital technology; a long history of harassment of independent media and journalists; a climate of insecurity and human rights abuses; poorly regulated police, intelligence, and private security firms; and a lengthy history of corruption, organized crime, state violence, and authoritarianism. For its part, El Faro reported two-thirds of its staff were hit, which included journalists, administration staff, and board members. “When the hacks occurred, the journalists were working on investigations, for example, into the Bukele administration’s negotiation with gangs, the theft of pandemic-related food relief by the director of prisons and his mother, the Bukele brothers’ secret negotiations related to the implementation of bitcoin, the financial holdings of officials in the current government, the government pandemic response, or a profile of President Nayib Bukele,” the outlet said. During 2021, El Salvador adopted bitcoin as legal tender, and Bukele said in November he wanted to create a Volcano-powered Bitcoin City. Related Coverage More

United States Cyber Command said on Wednesday that the hacking group known as MuddyWater is linked to Iranian intelligence. “MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations,” Cyber Command said in a notice. “MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” On Twitter, Cyber Command said MuddyWater was using a suite of malware for espionage and malicious activity, with attribution provided by the FBI National Cyber Investigative Joint Task Force.”MOIS hacker group MuddyWater is using open-source code for malware,” it said. “MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic.” Alongside its notice, MuddyWater malware samples were uploaded to VirusTotal, including the PowGoop DDL sideloader, and Mori backdoor that uses DNS tunneling.

“Goopdate.dll uses DLL side-loading to run when a the non-malicious executable GoogleUpdate.exe is run. goopdate.dll will then de-obfuscate goopdate.dat, which is a PowerShell script used to de-obfuscate and run config.txt,” Cyber Command said as it detailed one instance of how PowGoop works. “Config.txt is a PowerShell script that establishes network communication with the PowGoop C2 server. It uses a modified base64 encoding mechanism to send data to and from the C2 server. The IP of the C2 server is often hardcoded in config.txt.” In November, cyber authorities across the US, UK, and Australia attributed attacks exploiting holes in Fortinet and Exchanges to Iranian-backed attackers. “FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware,” a joint release stated. “ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.” Rather than going after a certain sector of the economy, the authorities said the attackers were simply focused on exploiting the vulnerabilities where possible and, following operation, they then tried to turn that initial access into data exfiltration, a ransomware attack, or extortion. The same month, Microsoft said attacks from state-sponsored Iranian hackers on IT services firms were virtually non-existent in 2020, but in 2021 exceeded 1,500 potential attacks. Related Coverage More

Maryland officials confirmed on Wednesday that state’s Department of Health is dealing with a devastating ransomware attack, which has left hospitals struggling amid a surge of COVID-19 cases.  In a statement released on Wednesday, Maryland Chief Information Security Officer Chip Stewart said the attack began on December 4 and crippled their systems. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“We have paid no extortion demands, and my recommendation — after consulting with our vendors and state and federal law enforcement — continues to be that we do not pay any such demand. At this time, we cannot speak to the motive or motives of the threat actor,” Stewart said. Stewart went on to explain that the health department’s network team noticed a server malfunctioning in the early morning of December 4. They eventually escalated it to the IT security team, which later notified Stewart that it may be a ransomware attack. The state began its incident response plan, which started with notifying multiple Maryland agencies, the FBI, and CISA. They also brought in outside cybersecurity firms to help with the response. “MDH took immediate containment action by isolating their sites on the network from one another, external parties, the Internet, and other State networks. As a result of this containment approach, some services were rendered unavailable and some remain offline today. I want to be clear: this was our decision and a deliberate one, and it was the cautious and responsible thing to do for threat isolation and mitigation,” Stewart said. He defended the decision to keep some services offline, writing that he has seen instances where organizations reconstitute services too quickly. 

Multiple news outlets in Maryland have reported that the health department and dozens of local partners have struggled to recover from the ransomware incident over the last six weeks. For weeks, the department was unable to release COVID-19 case rates as the Omicron variant devastated other states. While that service has returned, health officials now have to calculate the COVID-19 statistics by hand.Governor Lawrence Hogan also defended the state’s response, telling reporters on Wednesday that “unlike Texas and I think a couple of other dozen states, we haven’t lost hundreds of millions of dollars, and we haven’t compromised millions of peoples’ data.” According to local news outlet Maryland Matters, the number of deaths from COVID-19 was not reported in the state for almost the entire month of December, and the state was not able to issue death certificates for about two weeks. In speaking with health officials and union members about the attack, the outlet discovered that some people dealing with HIV could no longer access the daily medication they need and some hospitals were unable to access bank accounts to cover the cost of basic necessities. Also: Ransomware in 2022? We’re all screwedAfter a visit to Springfield Hospital Center, State Senator Katie Fry Hester told Maryland Matters that officials have restored access to high-profile, public-facing tools but “the stuff behind the scenes that the healthcare workers need to actually do their jobs are still down.” Other health officials said many of the state’s smaller hospitals were forced to revert back to paper records. Access to critical databases for communicable diseases, lab reports, and more are still down. Atif Chaudhry, Maryland Department of Health’s deputy secretary for operations, said in a statement that the state has a continuity plan designed specifically for situations like this. Officials prioritized mission-critical and life-safety services as they worked around the ransomware attack, using Google Workspaces as a tool to “ensure that they can serve the public’s most urgent needs right now and resume their standard level of full service.”State officials plan to hold a hearing about the ransomware attack on Thursday.  More

Fortinet has uncovered an effort to spread RedLine malware through news about the COVID-19 Omicron strain. FortiGuard Labs researchers said the people behind the malware are trying to use the ongoing pandemic to steal information and credentials. RedLine is a relatively common malware that steals all of the usernames and passwords it finds throughout an infected system. Fortinet said the RedLine Stealer variant in this instance steals stored credentials for VPN applications like NordVPN, OpenVPN, and ProtonVPN. “FortiGuard Labs recently came across a curiously named file, ‘Omicron Stats.exe’ which turned out to be a variant of RedLine Stealer malware. While we have not been able to identify the infection vector for this particular variant, we believe that it is being distributed via email,” the company said in its report, noting that the issue affects Windows users.”Based on the information collected by FortiGuard Labs, potential victims of this RedLine Stealer variant are spread across 12 countries. This indicates that this is a broad-brush attack and that the threat actors did not target specific organizations or individuals.”Researchers at multiple cybersecurity companies have said use of RedLine Stealer started around March of 2020. It quickly took over as one of the most popular infostealers available on underground digital markets, according to Fortinet. The researchers said cybercriminals typically use it to steal information and sell it on dark net marketplaces “for as low as $10 dollars per set of user credentials.” The credentials range from those used for accounts on online payment portals, e-banking services, and file-sharing tools to those used for social networking platforms. “The malware emerged just as the world began to deal with increased numbers of COVID patients and the growing fear and uncertainty that can cause people to lower their guard, which may have prompted its developers to use COVID as its lure,” Fortinet explained. 

Fortinet noted that hackers have previously used COVID-themed emails to spread RedLine Stealer variants, and the malware was embedded in a document designed to be opened by a victim. Last month, data breach tracker Have I Been Pwned added 441,657 unique email addresses to its database after cybersecurity researcher Bob Diachenko discovered RedLine Stealer malware logs with more than six million records exposed online.Cybersecurity firm Proofpoint said in a blog post in 2020 that RedLine is available for sale on Russian underground forums, with different versions costing $150 (lite) or $200 (pro). More

Gaming giant Electronic Arts (EA) confirmed that about 50 high-profile FIFA 2022 accounts were hacked over the last few weeks. In a statement, the company said the accounts were compromised through phishing techniques and other social engineering methods that were used to dupe EA customer experience team members into helping the hackers around two-factor authentication. EA said the hackers used “threats” to “exploit human error within our customer experience team.””Over the last few weeks we’ve been made aware of reports that high-profile player accounts are being targeted for takeover. Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques,” EA said in a statement. “At this time, we estimate that less than 50 accounts have been taken over using this method. We are currently working to identify rightful account owners to restore access to their accounts, and the content within, and players affected should expect a response from our team shortly. Our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.”Gamers took to social media over the last two weeks to complain about the issues. While the EA statement only cites less than 50 accounts, the initial story about the incident from Eurogamer said the top 100 traders in FIFA Ultimate Team were targeted. Many of these players make significant amounts of money through their gameplay. French soccer star Valentin Rosier wrote on Twitter that his FIFA account had been hacked as well, causing him to lose access to 60 million credits. He also expressed worry because he put money into his account. One of the biggest FIFA players in the world said that his account was given to “a random person via the live chat, a clear breach of data protection laws.”

“I told EA live chat 2 times to add notes to my account to put that my account was being targeted by hackers and to not change any details, and they still did it. Nothing more I could have done and tbh I shouldn’t have to do anything. It is basic security, disgusting stuff,” FIFA player FUT Donkey said. In the comment section, the player shared a screenshot of dozens of emails received from EA’s customer support team, explaining that the hackers were able to “spam the livechat asking to change my account details until some incompetent advisor finally gave them the account.””It’s not enough to get my stuff back, every last person who got hacked needs to get their shit back or we are taking action, clear breaches of data protection regulations in every country in Europe,” the player added. EA said all of its advisors and individuals who assist with the service of EA accounts will get “individualized re-training and additional team training” centered on security and phishing. The company will also be “implementing additional steps to the account ownership verification process” like managerial approval for all email change requests. They also plan to update the software used for the customer experience processes so that they can “better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.”The changes, according to EA, may lead to longer wait times for gamers.  More

Mozilla published their patch notes for the desktop and Android versions of Firefox 96. The new update focuses on helping video chat users, increasing performance and security, and improving user experiences on mobile devices. 

your best browser bets

On the desktop side of things, Mozilla’s latest release made “significant improvements” to the browser’s built-in noise suppression and auto-gain-control features. These improvements are aimed at web-based video chat users, particularly those that utilize software or hardware without its own built-in methods for suppressing background noise or automatically controlling the user’s mic input levels. Along the same lines, Mozilla also made “slight improvements” to its echo-cancellation tech, which helps speakers in poor acoustic environments avoid resonance. The second tentpole feature in version 96 focuses on reducing main-thread load, which should help the browser function better on older, slower, or congested systems without ample resources to handle its processing and memory needs. Last up for added features on the desktop version is a new enforcement setting for cookies which will, by default, apply the “Same-Site=lax” policy. Mozilla claims this will help better defend users against Cross-Site Request Forgery (CSRF) attacks.Fixes applied to the latest version of the desktop browser include corrections for opening Gmail links on macOS, multiple video playback and performance fixes, and security updates. Mozilla also acknowledged that it is working on correcting the performance of detached videos being played in full screen on macOS devices. This feature was “temporarily disabled” to “avoid some issues with corruption, brightness changes, missing subtitles, and high CPU usage.” No timeframe was mentioned for when it might be available again. On the Android side of things, Mozilla added a new “history highlights” feature to help users find recently visited sites, as well as improvements to the images displayed for recent bookmark additions on the user’s homepage. The long list of mobile fixes includes clipboard improvements, tab management enhancements, a correction to private tabs being displayed as normal tabs, fixes for history interface display issues, and better on-screen keyboard behaviors. 

Both the desktop and Android versions of Firefox 96 are available now.  More

Cybersecurity researchers have uncovered a new form of malware that can create backdoors on Windows, Linux and macOS operating systems, providing hackers with full access to compromised systems. The malware has been detailed by researchers at Intezer, who have named it SysJoker. It was discovered while they were investigating an attack against a Linux-based web server at an undisclosed educational institution in December. SysJoker wasn’t the malware behind the attack being investigated – but it was already present on the servers. 

ZDNet Recommends

The nature of SysJoker and the way it’s designed to provide a backdoor into systems – with the ability to run commands, download and upload files – suggests the goal for those delivering it could be espionage, but it could also be utilised as a tool for delivering additional malware to compromised systems.SEE: A winning strategy for cybersecurity (ZDNet special report)”Based on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral movement that might also lead to a ransomware attack as one of the next stages,” Avigayil Mechtinger, cybersecurity researcher at Intezer, told ZDNet. SysJoker compromises victim devices by masquerading as a system update for Linux and MacOS, while in the Windows version it masquerades as Intel drivers. It’s unclear how the phoney driver updates are delivered to victims, but the nature of the updates means that users are likely to follow the instructions to install them.  Researchers note that the names of the update names like “updateMacOs” and “updateSystem” are relatively generic, which is something that could potentially arouse suspicion. 

Based on analysis of SysJoker, the malware started being actively deployed in attacks in the second half of 2021 and the attackers behind it are paying close attention to campaigns.  Even during the period of analysis after the malware was initially discovered in December, the command and control domain behind the attacks has changed three times, indicting that those behind the campaign are actively monitoring targets. The way the attackers play close attention to compromised victims, the way in which they appear to carefully choose their targets and the way that the malware can target multiple operating systems suggests that those behind SysJoker are what researchers describe as an “advanced threat actor”. In addition to this, the fact that the attackers have written code from scratch that hasn’t been seen in previous attacks and can target three different operating systems also suggests that whoever the cyber criminals behind SysJoker are, they know what they’re doing. While the campaign isn’t widespread, the nature of SysJoker malware – and the way the attackers appear to go after specific targets and can remain hidden on compromised networks for significant periods of time – was only discovered when another attack was being investigated. It’s likely that the campaign is still active, but researchers have detailed advice on how to avoid falling victim. These include using memory scanners to detect malicious payloads that have potentially been installed. Administrators should also be on the lookout for potentially suspicious activity and investigate it if something feels amiss. MORE ON CYBERSECURITY More