Information Technology

As crime increases in Brazil, a new bill is proposing the suspension of instant payments system Pix in the state of São Paulo.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

If the bill put forward by the São Paulo Legislative Assembly is signed into law, it will prevent financial services providers and payment institutions from processing payments through Pix until the Brazilian Central Bank introduces mechanisms to ensure consumer safety. The Assembly can vote to revoke the law if the Central Bank presents a technical security report that demonstrates what measures have been implemented. The objective is to prevent situations like the so-called lightning kidnappings, whereby consumers are forced to make instant transfers to criminals while being held ransom. Introduced in November 2020 as part of a broader modernisation of the Brazilian financial services environment — which also includes ongoing initiatives, such as Open Banking — Pix has more than 104 million registered users and has processed more than 1.6 billion transactions since it launched. Around 75% of the transfers carried out via Pix in its first year of operation took place between individuals. According to the Central Bank, the system enabled financial inclusion at a significant scale; around 40 million Brazilians who had never made a money transfer before did so through the instant payments system. Transfers are made through a Pix “key,” which acts as a sort of nickname associated with a user’s full account details, aimed to simplify the payment process. A Pix key could be a user’s mobile phone number, tax registration number, email address, a randomly generated alphanumeric string, or a QR code. The convenience introduced by the instant payments system created loopholes for criminal action, however, prompting the Central Bank to impose limits on the value of transactions made between 8pm and 6am and on weekends. Other measures included a precautionary block on the receipt of transfers for up to 72 hours in cases of suspected fraud, as well as a special return mechanism scam victims can use.

The author of the bill that aims to suspend Pix in the state of São Paulo, congressman Campos Machado, notes that banks did not anticipate that “the enormous ease and convenience [Pix offers] to users would also bring dexterity to criminals, who have discovered the comfort and speed of using it to their advantage.”The debate over instant payments in the context of increasing crime follows the first major data protection incident involving Pix that occurred in October. More than 395,000 Pix keys under the custody and responsibility of the Bank of the State of Sergipe (Banese) — likely obtained through social engineering or phishing techniques — were leaked. More

There’s been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks. Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there’s been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021. Crooks are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more. With this access, cyber criminals can access a company’s networks and attempt to gain access to usernames and passwords or administrator rights which allow them to gain further control over the network.  On the underground forums being analysed, the number of offers to sell access to corporate networks went up from 362 to 1,099, a rise of three times in just a year and the report warns that increase is “one of the clearest trends on underground forums”. Some of the most common industries to which access is being offered to include manufacturing, education, financial services and healthcare.  The cost of access varies greatly and can sometimes be offered for a few thousand dollars – something a ransomware crew could make back many times over from a successful attack. But there’s a direct correlation between access value and the victim’s company revenue – the higher the revenue, the higher the price.  

SEE: A winning strategy for cybersecurity (ZDNet special report)  One of the key reasons there’s been an increase in sellers is because there’s the demand which is being driven by the growth in ransomware attacks. Ransomware groups need access to networks and buying access is easier and less time consuming than compromising networks themselves. “Ransomware operators are the main “customers” of initial access brokers’ (IAB) services,” Dmitry Shestakov, head of cybercrime research at Group-IB told ZDNet. “This unholy alliance of IABs and ransomware operators as part of ransomware-as-as-a-service affiliate programs has led to the rise of the ransomware empire,” he added. Another reason for the growth of initial access markets is because there is a relatively low skills threshold for engaging in this sort of cyber crime. These less sophisticated cyber criminals can use phishing attacks or buy off-the-shelf malware to steal information.The report also suggests that gaining this initial access has got easier due to the rise in remote working as a result of the  pandemic, which has resulted in many organisations unintentionally using insecure or misconfigured applications which cyber criminals can easily exploit. And as long as there are insecure networks which can be accessed and a demand from other cyber criminals to buy access to those networks, the rise of the access broker market looks set to continue.”We expect the number of brokers and initial access offers to grow. As the supply increases to meet the demand, we expect the price of initial access to corporate networks to decrease,” said Shestakov. “Ransomware will remain the main way to monetize access to corporate networks because it provides the highest possible return on investment for IABs,” he added. There are measures which organisations can take to help avoid cyber criminals breaching the network and gaining access to credentials.  They include installing software updates and security patches on a regular and timely basis to protect against known vulnerabilities, encouraging the use of strong passwords which are difficult to breach in brute force attacks and applying multi-factor authentication to accounts so that if credentials are compromised, there’s limited opportunities for attackers to exploit them. MORE ON CYBERSECURITY More

The call comes. And your instinct is to react instantly.
Screenshot by ZDNet
We all think we’re invulnerable. Until life events — or callous cyberscamming sorts — prove otherwise.

One momentary lapse of judgment, one careless moment of instant reaction, and we can descend into a hole from which it’s hard to emerge.A particularly cruel scam involves preying on those — the elderly or those not well versed with officialdom, for example — who are most willing to believe an official-sounding phone call is real.The caller may claim — as did one I received the other day — that they’re from the “Department of Taxes.” They may claim that a member of your family has been arrested and needs to have their bail paid. And, as panic may set in, the request is simple: you can make this all go away with some gift cards.See also: Shopping online? FBI says beware of these holiday scams and phishing threats.That may sound completely scammish to most, but not to all. Yet, how can you get through to the most vulnerable?Cybersecurity platform Scam Spotter, a non-profit collaboration between the Cybercrime Support Network and Google, is trying something different. Instead of dire warnings that may not get through in a relatively dire world, it’s gone for the action movie treatment.

Its new ad shows us a grandmother receiving a call late at night.”Your granddaughter has been incarcerated in a foreign jail,” begins the robotic voice. “She has provided your number as a family representative to pay her bail. The only form of payment we accept is gift cards.”Because that’s the currency of most foreign countries. Everyone knows that.In this case, however, instead of presenting grandma as a victim, Scam Spotter turns her into an action hero.

[embedded content]

She’s not going to pay with gift cards out of fear. She has quite another gift in mind.Fortunately, she’s adept at driving very fast, leaping very high, piloting a helicopter, skydiving with accuracy, and disabling horrible little men.She rescues her teenage grandaughter with consummate aplomb, as this message appears: “If it sounds unbelievable, it probably is.”A lesson for life, not merely for scams.See also: Google disrupts massive phishing and malware campaign.Scam Spotter’s website offers simple rules to go by when you receive one of these calls: Don’t fall for the apparent urgency of the situation. Double-check the details. (There really is no Department of Taxes.) And never, ever send anything to these people.”No reputable person or agency will ever demand payment on the spot,” says Scam Spotter.The scammers keep doing it because people keep falling for it. Scam Spotter is, at least, trying a different way to attack an issue that causes so much needless suffering.One can only hope it works. Or begins to work. Or has at least a tiny effect. More

Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs.  The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  

ZDNet Recommends

Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria. SEE: A winning strategy for cybersecurity (ZDNet special report)  Researchers believe that victims are tricked into downloading the malware via malvertising – malicious online adverts – that trick them into downloading fake installers of popular software onto their systems. The users are likely to be looking for the legitimate versions of the software, but get directed to the malicious versions by advertising.  Some of the software that users are tricked into downloading includes fake versions of messaging apps such as Viber and WeChat, as well as fake installers for popular video games like Battlefield.   The installer doesn’t install the advertised software but instead installs three forms of malware – a password stealer, a backdoor and a malicious browser extension, which enables keylogging and taking screenshots of what the infected user is looking at. 

The password stealer being distributed in the attacks is known as Redline, a relatively common malware that steals all the usernames and passwords it finds on the infected system. Magnat previously distributed a different password stealer, Azorult. The switch to Redline likely came because Azorult, like many other forms of malware, stopped working correctly after the release of Chrome 80 in February 2020.  While the password stealers are both commodity off-the-shelf malware, the previously undocumented backdoor installer – which researchers have called MagnatBackdoor – appears to be a more bespoke form of malware that has been distributed since 2019, although there are times where distribution has stopped for months.  MagnatBackdoor configures the infected Windows system to enable stealthy remote desktop protocol (RDP) access, as well as adding a new user and scheduling the system to ping a command and control server run by the attackers at regular intervals. The backdoor allows attackers to secretly gain remote access to the PC when required.  The third payload is a downloader for a malicious Google Chrome extension, which researchers have named MagnatExtension. The extension is delivered by the attackers and doesn’t come from the Chrome Extension Store. SEE: Hackers are turning to this simple technique to install their malware on PCs This extension contains various means of stealing data directly from the web browser, including the ability to take screenshots, steal cookies, steal information entered in forms, as well as a keylogger, which registers anything the user types in the browser. All of this information is then sent back to the attackers.   Researchers have likened the capabilities of the extension to a banking trojan. They suggest the ultimate aim of the malware is to obtain user credentials, either for sale on the dark web or for further exploitation by the attackers. The cyber criminals behind MagnatBackdoor and MagnatExtension have spent years developing and updating the malware and that’s likely to continue.  “These two families have been subject to constant development and improvement by their authors – this is likely not the last we hear of them,” said Tiago Pereira, a security researcher at Cisco Talos.  “We believe these campaigns use malvertising as a means to reach users that are interested in keywords related to software and present them links to download popular software. This type of threat can be very effective and requires that several layers of security controls are in place, such as endpoint protection, network filtering and security awareness sessions,” he added. 
MORE ON CYBERSECURITY More

Image: Nikolas Kokovlis/NurPhoto via Getty Images
Twitter has removed another 3,465 state-backed accounts as part of efforts to limit the influence of information manipulation campaigns on the web. The social media platform explained in a blog post that the account sets that have been removed include eight “distinct operations” that can be attributed to China, Mexico, Russia, Tanzania, Uganda, and Venezuela. “Every account and piece of content associated with these operations has been permanently removed from the service,” Twitter said. Listing out the operations, the majority of accounts removed in this round of purges were linked to China, with over 2,000 of them amplifying Chinese Communist Party narratives related to the treatment of the Uyghur population in Xinjiang. Another network of around 100 accounts were connected to “Changyu Culture”, a private company backed by the Xinjiang regional government. Rounding out the top three governments that had their linked accounts removed was the Ugandan government, which had 418 of its linked accounts that used inauthentic activity to support having the Ugandan presidential incumbent Museveni removed, while 277 Venezuelan accounts amplifying accounts and content that supported the presiding government were removed. In addition to banning these accounts and the content shared by them, Twitter has shared relevant data from this disclosure with the Australian Strategic Policy Institute, Cazadores de Fake News, and the Stanford Internet Observatory.

The disclosure comes during a week where Twitter’s founder Jack Dorsey resigned from the company’s CEO post. Twitter on Wednesday also announced the expansion of its private information policy to include the sharing of private media, such as photos and videos, without permission from the individuals that are depicted in them. Related Coverage More

The federal government has released an updated digital government strategy as part of its goal to make Australia one of the top three digital governments in the world by 2025. It has been working on the refresh for more than a year, and the culmination of consultation is an updated 28-page digital government strategy. Under the strategy, the government has set out three priorities for its services in trying to achieve that goal. These priorities are making all government services digitally available, easily accessible, and people and business-centric.The updated priorities do not steer far from those in the government’s previous digital strategy, which had set out priorities of making government easier to deal through the adoption of myGovID and informing citizens about government’s use of data.On a practical level, delivering the new strategy will entail uplifting digital ecosystems, reusing certain technologies to deliver value for money, and expanding the government’s digital workforce, said Stuart Robert, the minister responsible for whole-of-government data and digital policy.The strategy refresh comes days after a Senate committee blasted the federal government for its lack of progress in auditing its IT capabilities. The Senate Standing Committee on Finance and Public Administration on Monday said progress on an “urgent audit” that government agreed to undertake was lagging, which has caused delays for its IT advancement. The audit was agreed to based on recommendations made in an independent review of federal government agencies.The committee also noted that the federal government currently has no central data collection process related to IT expenditure across government.  Addressing the independent review, Robert said it uncovered that government needed to approach uplifting digital capabilities differently.

“We need to better align the approaches of agencies to address common challenges, reducing the duplication of effort,” he said. “We need to make data more readily available and accessible to inform evidence-based decision making.”Alongside the strategy refresh, Robert announced a slew of other digital government movements, which included a new whole-of-government architecture, re-use policy and catalogue, whole-of-government digital and IT oversight framework, and trials of cyber hubs. The new whole-of-government architecture consists of standards, guidance, products, and tools to support federal government agencies for designing digital capability and implementing and operating technologies, Robert said.He also claimed the architecture would also give industry guidance on the federal government’s IT direction, including the digital capabilities it wants to be built in a reusable way.”Through the whole-of-government architecture, the DTA has worked in concert with government departments and agencies to map out all the strategic capabilities that we require as a government. They are now working towards identifying the existing digital and ICT assets across whole of government and the capability gaps we need to fill,” Robert said.The architecture will be complemented by a re-use policy and catalogue designed to provide government agencies a more informed view of emerging or existing government platforms and what could potentially be reusable platforms.”Reuse of core tech is now a Cabinet mandated requirement,” Robert said.Outlining the whole-of-government digital and IT oversight framework, Robert said all future digital and IT spending proposals put forward by agencies would be required to comply with various government policies, ranging from its digital service standards to cybersecurity guidelines to the re-use catalogue.In addition, all digital and IT proposals must contain an assurance plan signed off by the Digital Transformation Agency (DTA) and the relevant department as part of this new oversight framework.”[This] provides an important institutional lever for the government to monitor high cost or high risk digital and ICT-enabled investment proposals, and ensures these proposals align with whole-of-government digital policies from the earliest point in the policy development process,” Robert said.Turning to Robert’s announcement about trials of cyber hubs, he explained that the federal government would develop four cyber hubs that will be tasked with protecting all departments and agencies. The cyber hubs will be modelled off Services Australia’s 24/7 Cyber Ops Centre.The trial is an expansion of the DTA’s cyber hub pilot from earlier this year where Home Affairs, Defence, and Services Australia were providers in the pilot.Services Australia, Tax, Defence, and Home Affairs will each be a provider for one cyber hub in the trial, Robert said. RELATED COVERAGE More

Colorado’s Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historic data to be lost. In an update sent to customers this week, the company said it expects to be able to begin accepting payments through its SmartHub platform and other payment kiosks during the week of December 6.”We also tentatively estimate we will be able to resume member billing the week of December 6 – 10. We recognize this will result in members receiving multiple energy bills close together. As a reminder, we will not disconnect services for non-payment or assess any penalties through January 31, 2022,” the company said on a page that has been updated repeatedly over the last month. The company said it began noticing issues on November 7, and the cyberattack eventually brought down most of its internal network services. The attack affected all of the company’s support systems, payment processing tools, billing platforms and other tools provided to customers. DMEA said the hackers were targeting specific parts of the company’s internal network and corrupted saved documents, spreadsheets, and forms, indicating it may have been a ransomware incident. The attack even affected the company’s phone and email systems, but DMEA said the power grid and fiber network were not touched during the attack. The energy company hired cybersecurity experts to investigate the incident, but nearly a month later they are still having issues recovering. 

“We are currently operating with limited functionality and are focused on completing our investigation and restoring services as efficiently, economically, and safely as possible. We are committed to restoring our network and getting back to normal operations, but that will take time and requires a phased approach,” the company explained. They created temporary payment arrangements to deal with the outages and have suspended all penalty fees and disconnections for non-payment through January 31, 2022.Despite the damage to their system, DMEA claimed no sensitive data from customers or employees was breached. But they now have to work through a “phased restoration approach” as they rebuild their systems. DMEA CEO Alyssa Clemsen Roberts said the impact on their systems was “extensive” and that a good portion of their saved data, such as forms and documents, was corrupted. “The path to full restoration will take time, and it may result in many of our members receiving back-to-back energy bills. With colder weather approaching and the holiday season already here, we recognize this incident has come at an unfortunate time,” Roberts said. “This isn’t how we hoped to close out the year, and on behalf of all of us at DMEA, I am grateful for your patience, support, and understanding as we navigate this incident.”Saryu Nayyar, CEO at cybersecurity firm Gurucul, said utilities tend to have complex networks that often comingle enterprise operations with mission control.”It’s a bit of a surprise that we haven’t seen more attacks on public utilities, but there is no question that more are coming,” Nayyar explained. The headline-grabbing ransomware attack on Colonial Pipeline earlier this year involved similar issues. Attackers brought down the company’s business technology networks, forcing the energy producing side to struggle as well. SecurityGate CISO Bill Lawrence added that while the term ‘ransomware’ is not in any of the reporting or DMEA’s explanation of events, they had a large portion of their data corrupted and their internal phone system went down too. “It will be interesting to learn a motive behind this attack if there are no ransom demands,” Lawrence said. “Co-ops are owned by their local communities, so the local folks will be dealing with increased costs due to response and recovery from the attack.” More

The Department of Homeland Security (DHS) announced two new cybersecurity directives handed down by the Transportation Security Administration (TSA) on Thursday designed to better protect freight railroads and passenger rail transit in the US.

TSA said rail services are “higher risk” and that the new rules “need to be issued immediately to protect transportation security.”The new rules make it mandatory for rail company owners and operators to have a cybersecurity coordinator, report cybersecurity attacks to CISA in 24 hours or less, and create a cybersecurity incident response plan. The rules also require owners to complete cybersecurity vulnerability assessments.DHS also detailed voluntary measures to improve cybersecurity across the transportation sector following a series of attacks over the last two years. “These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro Mayorkas. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.” These are just the latest cybersecurity directives handed down by DHS this year, as the agency seeks to charge government-adjacent industries to improve their cybersecurity measures. Following multiple attacks on critical infrastructure in the US this year — including oil pipelines, transportation companies, and agricultural organizations — DHS has regularly provided new guidance and mandatory rules. 

Congress is also mulling a variety of bills related to incident reporting and other cybersecurity measures. While previous administrations sought to promote cybersecurity hygiene through voluntary measures, the Biden Administration has handed down more stringent measures as ransomware incidents continue. DHS has faced backlash from some private sector companies and Republican members of Congress over the cybersecurity rules, with many arguing that they are being forced on companies without advance guidance. In its statement on Thursday, DHS made a point of saying TSA worked with “industry stakeholders,” “federal partners,” and CISA to create the directives. Victoria Newhouse, a TSA deputy assistant administrator, confirmed to Congress on Thursday that private industry experts were consulted on the new rules. Newhouse said she and other officials met with rail companies to discuss the range of threats facing their industry. One of the criticisms Republican lawmakers have levied against DHS is that the directives are being handed down in the absence of detailed, specific threats. On Thursday, DHS said CISA “provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.”TSA suggested “all other lower-risk surface transportation owners and operators” also institute the rules, although it would be voluntary. TSA already released guidance for aviation industry operators, pipelines, and other enterprises. A DHS official told The Wall Street Journal that Thursday’s directives will affect 90% of passenger rail systems in the US and 80% of freight rail systems that they consider high risk. More