Information Technology

Online criminals are deploying cryptocurrency miners within just 22 seconds of compromising misconfigured cloud instances running on Google Cloud Platform (GCP).Cryptocurrency mining is by far the main malicious activity conducted by attackers after taking advantage of misconfigured instances hosted on GCP, making up 86% of all actions carried out after compromise. And in many cases, the attackers move extremely quickly after compromising an instance and installing cryptomining malware to free-ride off others’ CPU and GPU resources to turn a profit for themselves. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

“Analysis of the systems used to perform unauthorized cryptocurrency mining, where timeline information was available, revealed that in 58% of situations the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised,” Google says in its first Cloud Threat Intelligence report.SEE: Cloud security in 2021: A business guide to essential tools and best practicesAnother striking trend was how quickly attackers are finding and compromising unsecured, internet-facing instances. The shortest time a compromise took place was 30 minutes after those instances were deployed. In 40% of cases, the time-to-compromise was under eight hours. Security firm Palo Alto Networks similarly found that 80% of 320 internet-facing ‘honeypot’ instances hosted in the cloud — and designed to attract attackers — were compromised within 24 hours. 

As Google’s report highlights, crypto-mining malware is a problem for users on GCP who don’t take steps to protect their cloud instances. “While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse. The public Internet-facing Cloud instances were open to scanning and brute force attacks,” Google notes. SEE: Dark web crooks are now teaching courses on how to build botnetsInternet-facing GCP instances were a significant target for attackers. Just under half of compromised instances were carried by attackers gaining access to instances with either no password or a weak password for user accounts or API connections, which meant these instances could be easily scanned and brute forced.”This suggests that the public IP address space is routinely scanned for vulnerable cloud instances. It will not be a matter of if a vulnerable Cloud instance is detected, but rather when,” Google said.Additionally, 26% of compromised instances were due to vulnerabilities in third-party software being used by the owner.”Many successful attacks are due to poor hygiene and a lack of basic control implementation,” said Bob Mechler, director at Google Cloud’s office of the CISO.The report is a wrap up of observations over the last year by Google Threat Analysis Group (TAG), Google Cloud Security and Trust Center, and Google Cloud Threat Intelligence for Chronicle, Trust and Safety. More

Cyber criminals are using a new JavaScript downloader to distribute eight different kinds of remote access Trojan (RAT) malware and information-stealing malware in order to gain backdoor control of infected Windows systems, as well as steal usernames, passwords and other sensitive data. 

The downloader has been detailed by cybersecurity researchers at HP Wolf Security, who’ve called it RATDispenser.  The initial entry point for attacks is a phishing email that claims to contain a text file about a product order. Clicking the malicious file will run the process for installing RATDispenser malware. In order to avoid detection, the initial JavaScript download is obfuscated with the aid of long strings of code to help hide the malicious intent.SEE: A winning strategy for cybersecurity (ZDNet special report)Once installed, RATDispenser is used to distribute a range of different malware, including trojans, keyloggers and information stealers, all designed to steal sensitive data from the user. The most frequently distributed malware downloads are STRRAT and WSHRAT, which account for four in five of the analysed samples. But other forms of malware RATDispenser have been distributed, including invasive information stealers such as Adwind, Formbook, Remcos, Panda Stealer, GuLoader and Ratty.Some of these trojans, like Panda Stealer, are relatively new, having only been discovered this year, while others, such as WSHRAT, have been active for many years. 

At the time the research was published, RATDispender was only detected by one in 10 available anti-virus engines. “It’s particularly concerning to see RATDispenser only being detected by about 11% of antivirus systems, resulting in this stealthy malware successfully deploying on victims’ endpoints in most cases,” said Patrick Schlapfer, malware analyst at HP.  “RATs and keyloggers pose a silent threat, helping attackers to gain backdoor access to infected computers and steal credentials from business accounts or even cryptocurrency wallets. From here, cyber criminals can siphon off sensitive data, escalate their access, and in some cases sell this access on to ransomware groups,” he added.  In order to protect users from attacks by RATDispenser and the malware it drops, researchers recommend that network administrators audit which email attachment file types are allowed by their email gateway and blocking execuatables that aren’t needed – such as JavaScript or VBScript.MORE ON CYBERSECURITY More

With Thanksgiving underway and Black Friday sales about to arrive, the FBI has warned consumers to be wary of online-shopping scams and phishing attackers using big brands to steal online credentials. The FBI is expecting a rise in complaints and losses during the 2021 holiday season “due to rumors of merchandise shortages and the ongoing pandemic”, it says in a public service announcement. 

Black Friday Deals

Global supply chain problems have affected everything from online fashion sales to smartphones, games consoles and the auto industry. Sony earlier this month cut its PlayStation 5 production outlook due to component shortages and the games console remains hard to buy in many parts of the world. SEE: A winning strategy for cybersecurity (ZDNet special report)During the 2020 holiday season, the FBI received 17,000 complaints over goods that weren’t delivered, resulting in losses over $53 million. In particular, the FBI warns consumers to be cautious of deals that are too good to be true in email, on websites, in social media posts, and in ads on social media. It highlights the risk of online surveys that aim to steal personal information or debit and credit card details. For those purchasing a new pet this holiday season, the FBI recommends meeting the animal and owner in a video chat before buying to reduce the chances of being scammed by sellers of a non-existent pet. 

The FBI recommends consumers to only purchases from HTTPS websites and to beware of online retailers who use, for example, a free email account instead of an address with the company’s domain. Also, consumers should pay for items using a credit card dedicated for online purchases, checking statement activity, and never saving payment information in online accounts. Never use public Wi-Fi to make a purchase, and look up reviews about the online seller and check with the Better Business Bureau to see if they’re legitimate. Victims of fraud can report incidents to the FBI’s www.ic3.gov website. Another risk for consumers this holiday season are various online techniques and tools that scammers use to harvest account credentials of brand-name companies. The FBI issued another PSA warning of “recent spear phishing email campaigns” targeting consumers. One of the key goals of scammers is to bypass two-factor authentication (2FA). At risk are consumers of big brands in technology, banking, shipping, and retail industries.SEE: Dark web crooks are now teaching courses on how to build botnetsThe spear-phishing campaigns aimed at bypassing 2FA target accounts where consumers have used their email address as their user ID. “Once detected, the consumer is redirected to an email scampage of the same email domain to steal their email account login and password information,” the FBI warns.  “When cyber criminals gain access to a consumer’s online and email accounts, cyber criminals may be able to intercept emails with 2FA codes that are used to make significant changes to online accounts, update passwords, verify user access, or change security rules and setup before the account owner is notified and aware,” the FBI notes. Credential scam pages are moving to an ‘as-a-service’ model, where criminals sell their scam pages to others, the FBI warns. Among important piece of advice from the FBI: “Do not store important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).” Also, it urges users to enable 2FA.  More

Taiwanese chip maker MediaTek has addressed four vulnerabilities that could have allowed malicious apps to eavesdrop on Android phone users. Three the of vulnerabilities, tracked as CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663, affected MediaTek’s audio digital signal processor (DSP) firmware. It’s a sensitive component that if compromised could allow attackers to spy on user conversations. Researchers at Check Point found and reported the flaws to MediaTek, which disclosed and fixed them in October. A fourth issue affects the MediaTek HAL (CVE-2021-0673). It was also fixed in October but will be disclosed in December. 

ZDNet Recommends

Best 5G phone 2021

5G is now standard on US networks, with the expectation that every flagship includes support for 5G.

Read More

“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user,” explains Check Point researcher Slava Makkaveev. SEE: Best phone 2021: The top 10 smartphones availableAccording to market research firm Counterpoint, MediaTek’s system on chips (SoCs) accounted for 43% of the mobile SoCs shipped in Q2 2021. Its chips are found in high-end smartphones from Xiaomi, Oppo, Realme, Vivo and others. Check Point estimates MediaTek chips are present in about a third of all smartphones.The vulnerabilities are accessible from the Android user space, meaning a malicious Android app installed on a device could be used for privilege escalation against the MediaTek DSP for eavesdropping.

MediaTek rated CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663 as medium severity heap-based buffer over flaws in DSP. In all three cases, it notes that “user interaction is not needed for exploitation.”Check Point also discovered a way to use the Android Hardware Abstraction Layer (HAL) as a way to attack MediaTek hardware. “While looking for a way to attack the Android HAL, we found several dangerous audio settings implemented by MediaTek for debugging purposes. A third-party Android application can abuse these settings to attack MediaTek Aurisys HAL libraries,” explains Makkaveev.SEE: Dark web crooks are now teaching courses on how to build botnetsHe adds that device manufacturers don’t bother validating HAL configuration files properly because they are not available to unprivileged users. “But in our case, we are in control of the configuration files. The HAL configuration becomes an attack vector. A malformed config file could be used to crash an Aurisys library which could lead to LPE,” writes Makkaveev. “To mitigate the described audio configuration issues, MediaTek decided to remove the ability to use the PARAM_FILE command via the AudioManager in the release build of Android,” he adds. More

DBS Bank has attributed the source of a service glitch to “access control servers”, which it says left many customers unable to log into their accounts. The Singapore bank has been instructed by the local regulator to investigate the cause of the problem that lasted two days. The service disruption was first reported Tuesday morning when several customers faced difficulties logging into or accessing DBS’ online and mobile services. The bank initially provided few details on what caused the issue, saying on its Twitter and Facebook profiles and website that it was aware customers were experiencing “intermittent slowness when accessing [its] banking services”.In an update posted early Wednesday morning, DBS said the problem was resolved and services restored. However, customers again reported difficulties accessing the bank’s online services, leading the bank to acknowledge later that day the issue had recurred. 

It posted a video message Wednesday afternoon from its Singapore head Shee Tse Koon, who said the problem was “less severe” than the previous day, while apologising for the “anxiety caused”. “We identified a problem with our access control servers and this is why many of you have been unable to log in. We have since been working round the clock, together with our third-party engineering providers, to fix the problem and services were restored at 2am,” Shee said. “Unfortunately this morning, the same problem recurred.”He added that the bank was aware many of its customers still were unable to access its services and was working on a resolution. “n the meantime, I want to assure you that your deposits and monies are safe, and that you can continue with your banking needs either through our branches, or through phone banking. To facilitate this, we’ve extended banking services at all our branches by two hours,” he said. 

DBS later posted an update at 10.35pm that its digital services were “returning to normal” and it was monitoring the situation to ensure services were running smoothly. In a statement Wednesday, Monetary Authority of Singapore (MAS) said it would consider appropriate actions after DBS had completed its assessment. “This is a serious disruption and MAS expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures,” said Marcus Lim, MAS’ assistant managing director for banking and insurance.The industry regulator said it was notified by DBS about its access control servers and was following up with the bank on the issue. Lim said all financial institutions were expected to have the “systems and processes” in place to ensure the “consistent availability” of their services to customers. DBS, along with subsidiary POSB, have some 5 million customers in Singapore.Early this month, DBS announced plans to invest SG$300 million ($220.22 million) next year to beef up its digital and intelligent banking capabilities that supported the bank’s wealth and retail products and services. It said efforts here would enhance personalised user experiences across its digital and physical touchpoints.RELATED COVERAGE More

Organisations that fall victim to a ransomware attack shouldn’t let the cyber criminals know they have cyber insurance – because if the attackers know that their victim holds an insurance policy, they’re more likely to outright demand the ransom payment in full. Cybersecurity researchers at Fox-IT, part of NCC Group, examined over 700 negotiations between ransomware attackers and ransomware victims in order to analyse the economics behind the digital extortion attacks that demand a ransom payment – often millions of dollar in Bitcoin – in exchange for the decryption key.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

They found that if the victim has cyber insurance and that the attacker knows about it, then there’s little manoeuvre for negotiating for a smaller ransom payment, because the attackers will exploit the existence of the cyber insurance to cover the payment they’re demanding. SEE: A winning strategy for cybersecurity (ZDNet special report) “Look, we know about your cyber insurance. Let’s save a lot of time together? You will now offer 3M, and we will agree. I want you to understand, we will not give you a discount below the amount of your insurance. Never. If you want to resolve this situation now, this is a real chance,” said a chat message from an unspecified ransomware gang, according to the research. In this case, the attacker set the fee in the knowledge of the cyber-insurance plan, leaving the victim without any real platform for attempting to negotiate a lower ransom payment. Another note from an unspecified ransomware operator appears to show that the cyber criminals have set a significant ransom demand because they know about the victim’s cyber-insurance policy – seemingly after the victim claimed they couldn’t afford to pay.

“Yes, we can prove you can pay 3M. Contact your insurance company, you paid them money at the beginning of the year and this is their problem. You have protection against cyber extortion. I know that you are now in trouble with profit. We would never ask for such an amount if you did not have insurance,” said the attacker. A company could still claim that the insurance company wouldn’t pay for the ransom demand, but it’s unlikely to be accepted as the truth by the attacker. While researchers suggest telling the ransomware attacker about a cyber-insurance policy isn’t a good move for negotiations, there’s also the possibility that the attacker could find out about any cyber insurance the company has themselves once they’re inside the network ahead of the ransomware attack. “Preferably also do not save any documents related to it on any reachable servers,” warn researchers. Cyber insurance has become a way for victims to deal with the damage of a ransomware attack, but as Fox-IT’s research shows, knowledge of it can put criminals in an even more powerful position for demanding payment – especially if the insurance holder doesn’t have good cybersecurity in the first place. One answer could be that organisations that want to take out a cyber-insurance policy are required to meet certain requirements around cybersecurity before the provider can agree to issue it. “It’s a really difficult debate in which I think there are definitely some advantages to having cyber insurance, but only if there are certain thresholds for a company to get it,” Pepijn Hack, cybersecurity analyst at Fox-IT, told ZDNet. “Those thresholds can be an incentive to get a better grip on your cybersecurity awareness and your what your entire organisation’s cybersecurity is right now,” he said. However, this path could also be problematic because if businesses do fall victim to a cyberattack, and they don’t have cyber insurance, then it could be extremely damaging. “Some cyber-insurance service companies have found out that people get hacked a lot, so it’s become became really expensive and now they’re just stopping to give any cyber insurance at all, which I also don’t think is the right solution,” said Hack. “It has to be some some kind of middle ground – and I think we’ll get there eventually,” he said. While paying a ransom to cyber criminals is generally not recommended because it encourages further attacks, after analysing hundreds of negotiations, Fox-IT researchers offered some suggestions around what to do if your business is hit with ransomware. That approach starts with preparing employees on how to react to a ransomware attack and crucially not clicking links in any ransom notes, so as to not prematurely start negotiations by setting the hackers countdown running.  “The first thing any company should teach their employees is not to open the ransom note and click on the link inside it… the timer starts to count when you click on the link. You can give yourself some valuable time by not doing this. Use this time to assess the impact of the ransomware infection,” the researchers said. This time provides the response team with a chance to examine what infrastructure has been hit and what impact it has had on operations, allowing the victim to retake some degree of control over the situation. Before starting negotiations, it’s also useful to know what your end goal is – can the organisation restore from backups, or will a ransom have to be paid? If the victim is willing to pay a ransom, they should have an idea about what the maximum they’d pay would be. SEE: Dark web crooks are now teaching courses on how to build botnets Research into the attacker can also help prepare victims for negotiations. It’s possible that a free decryption tool for that particular strain of ransomware is available, preventing the need to pay a ransom at all. Examining research papers and media reports about the ransomware group can also provide information on how reliable they are at actually providing a decryption key and if they’ll engage in other tactics to try and force a payment, such as DDoS attacks, calling your customers or stealing and leaking data. When it comes to actually engaging in negotiations, researchers state that it’s important to be respectful and professional – it’s understandable that victims will be angry, but antagonising the attacker is unlikely to help the negotiation strategy. Meanwhile, being polite can help – in one example detailed in the blog post, a victim negotiated a ransom down from $4m to $1.5m. Many ransomware attacks try to pressure victims into paying within a set period, often with the threat of leaking data if they don’t. However, researchers suggest that attackers are almost always willing to negotiate an extended window – after all, they want the money, they’ve taken the time to infect the systems, so they’re likely to be willing to wait a little longer. There’s also the option of trying to convince the attacker that you can’t pay the ransom, but if the attacker has access to the network, they may be able to see financial documents or cyber-insurance policies – and likely have a figure in mind based off that document that will be the basis for negotiations. 
MORE ON CYBERSECURITY More

Perth city
Image: Getty Images
The Western Australia Auditor-General has slammed local government (LG) entities in the hard border state, after determining they were not managing cyber risks well. The outcome of the audit was summed up by two key findings noted in the audit report. The first was most vulnerabilities found during black box testing were over a year old, and in one instance, a vulnerability had existed for a decade and a half. “We tested the audited LG entities’ publicly accessible IT infrastructure and found vulnerabilities of varying types, severity, and age. The vulnerabilities included disclosure of technical information, out-of-date software, flawed or weak encryption, insecure software configuration, and passwords sent in cleartext over the internet,” it said. “44% of vulnerabilities were of critical and high severity, with a further 49% of medium severity. “Known critical and high severity vulnerabilities are generally easy to exploit and expose LG entities to increased risk of compromise.” This is not good
Image: Office of the Auditor General for Western Australia
The AG found out-of-date software accounted for 55% of vulnerabilities, followed by weak or flawed encryption on 34%, and insecure configuration on 8% of vulnerabilities. The second key finding was a phishing test, which led users to a page that asked them for login credentials. At one entity, over 50 people clicked the link, and around 45 submitted credentials, this was a result of one of the people selected for the phishing test forwarding it onto other staff and external contacts.

The AG said from that one forward action, it was able to collect 29 extra staff credentials that fell outside its intended testing scope, and 15 credentials from those external to the entity. The number of click and credentials collected was around 5 to 10 times higher than the next highest number from an audited entity. “[This] shows that people generally trust and are more likely to respond to emails from known contacts,” the report said. This is bad
Image: Office of the Auditor General for Western Australia
More generally, the report said the entities were found to have failed to consider the risks of malware and ransomware, data breaches including reuse of credentials found in other breaches, unauthorised access to systems or networks from an external attack, theft of IT devices, and third-party supply chain/cloud risks. Two entities were found to have not had a penetration test done since 2015, while one entity never had. When doing its tests, the Auditor-General found only three entities had systems to detect and block simulated attacks, while nine did not detect or respond, and three took two weeks to detect and only once the attacks ramped up. The latter 12 entities had intrusion detection systems but had no processes to look at the information generated in a timely manner, the AG said. Yikes!
Image: Office of the Auditor General for Western Australia
Seven recommendations were made to improve the entities’ cyber posture, which the AG said were “generally accepted”, and most had made improvements during the audit process. “Entities should give regard to good practice principles in the Australian Government Information Security Manual and the Essential Eight controls to protect systems and information,” the report said. “While remediations will require an investment of time and money, support from senior management is equally important to uplift cybersecurity maturity.” Related Coverage More

Farewell, sweet prince.
Image: Mozilla
Mozilla has emailed its Lockwise users to inform them that on December 13, it will be ending support for its Lockwise password management app. Lockwise has two guises: One in the browser itself at about:logins and a separate app for iOS and Android that can become the default password manager for your phone, without needing the overhead of Firefox the browser to start up. It is the latter and lighter option that has hit the end of the support road. “The Firefox Lockwise app will no longer be updated and supported by Mozilla and will not be available in the Apple App and Google Play Stores,” Mozilla said in its email. “After that date, current Lockwise users can continue to access their saved passwords and their password management in the Firefox desktop and mobile browsers.” Alternate password managers: Best password manager 2021: Business & personal use A support note that has replaced the site for Lockwise says that the app could keep working after December 13, but it will not get updates.

Android users can replace the password autofill functionality with Firefox itself, and see an arguable improvement in how it works, while iOS users that rely on Lockwise are left waiting. “Check back for updates in December 2021 on how to use Firefox for iOS as your system-wide password manager,” Mozilla states. Users in iOS will need to open up the browser to copy passwords the old school way. While it may not have all the bells and whistles of its commercial competition, Lockwise became good enough in recent times to get by with, and it is backed by an open-source organisation with more respect for privacy than some in the field. As Mozilla is heavily reliant on rival Chrome-maker Google for funding, Lockwise as an app could have been an avenue to increase its non-Google funding line, but it was not to be. Last week, Mozilla decided users might want to pay for email address hiding as it unveiled Firefox Relay Premium. The standard Relay service provides five free aliases that forward emails to a primary address, with the new paid tier offering one subdomain alias to allow users to create unlimited aliases, such as yourdomain.mozmail.com, a summary dashboard, and the ability to reply to emails from the alias. Firefox Relay Premium currently has introductory pricing of $1 or €1 each month in the US, Germany, UK, Canada, Singapore, Malaysia, New Zealand, France, Belgium, Austria, Spain, Italy, Switzerland, Netherlands, and Ireland. Related Coverage More