Information Technology

Multiple Israeli news outlets are reporting that Itzik Benbenisti, the person slated to become the new CEO of controversial spyware company NSO Group, has resigned just two weeks after accepting the role. The Jerusalem Post and Haaretz reported that Benbenisti decided against replacing current CEO Shalev Hulio after the US Commerce Department’s Bureau of Industry and Security added NSO Group to the Entity List “for engaging in activities that are contrary to the national security or foreign policy interests of the United States” last week. NSO Group did not respond to requests for comment, but it did confirm Benbenisti’s decision to Haaretz. His appointment to CEO had been announced on October 31, but he had not started the job yet. 

Sources told Haaretz that Benbenisti was spooked by the new sanctions as well as recent revelations about the company’s spyware that could lead to legal consequences.The US Commerce Department said NSO Group and another spyware firm called Candiru were added to the list because officials had found “evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.” The Commerce Department noted that the governments given these tools repressed a number of people in other countries, explaining that some authoritarian governments targeted “dissidents, journalists, and activists outside of their sovereign borders to silence dissent.”NSO Group continues to face a barrage of bad headlines over how its Pegasus spyware has been used around the world. Last week, a bombshell report from the University of Toronto’s Citizen Lab and the Associated Press said that even the Israeli government’s own spy agency used the tool to hack the phones of six Palestinian human rights activists. 

That report followed another about the ruler of the UAE using Pegasus to spy on his ex-wife and her British lawyers. In July, the “Pegasus Project” used information from Amnesty International, the University of Toronto’s Citizen Lab, and Forbidden Stories to uncover that the NSO Group’s spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. Last week, on the heels of the sanctions announcement, several US Congress members demanded the State Department further investigate how Pegasus and other spyware is being used to abuse human rights around the world.”As members of Congress deeply concerned with the rising tides of authoritarianism around the world, we have closely tracked the parallel and reinforcing proliferation of commercially distributed surveillance and cyber-intrusion tools. These are extremely sensitive and powerful technologies used by foreign governments against Americans, as well as against journalists and civic activists,” Congress members said in a joint statement. “While recent reporting confirmed that NSO Group’s Pegasus software was used against journalists, human rights activists, and opposition politicians, many others are profiting from this new arms market.”Hulio is planning to stay on as CEO to guide the company through this turbulent period, according to Haaretz.  More

Ransomware attacks are becoming more sophisticated as cyber criminals continue to develop new techniques to make campaigns more effective and increase their chances of successfully demanding a ransom payment. According to the European law enforcement agency Europol there was a 300% increase in the number of ransom payments between 2019 and 2020 alone – and that doesn’t account for 2021 being another bumper year for cyber criminals launching ransomware attacks, as they’ve taken advantage of security vulnerabilities presented by the rise in remote working.  

ZDNet Recommends

Europol’s Internet Organised Crime Threat Assessment (IOCT) shows that while cybercrime, including malware and DDoS attacks, continues to evolve, it’s ransomware attacks that have been a significant amount of disruption over the course of the past year. SEE: A winning strategy for cybersecurity (ZDNet special report) Several major incidents where cyber criminals have targeted supply chains, critical infrastructure, hospitals and more have showed how disruptive a successful ransomware attack can be.  Desperate to get the decryption key needed to decrypt encrypted files and servers, many organisations that fall victim to ransomware attacks will pay the ransom, which can cost millions of dollars in Bitcoin or other cryptocurrencies.  One of the reasons ransomware attacks have become more effective is because cyber criminals have become more hands-on with campaigns. Instead of attempting the mass distribution of ransomware and hoping some attacks will be successful, cyber criminals are selecting a smaller number of targets, but choosing them on the basis that they’re most likely to pay a ransom.  

“The use of traditional mass-distributed ransomware seems to be in decline and perpetrators are moving towards human-operated ransomware targeted at private companies, the healthcare and education sectors, critical infrastructure and governmental institutions,” said the report. “The shift in the attack paradigm indicates that ransomware operators choose their targets based on their financial capability to comply with higher ransom demands and their need to be able to resume their operations as quickly as possible.”Conti, Maze, Avaddon and Babuk ransomware groups are some of those that the paper notes deploy these methods. The focus on a smaller number of targets also allows cyber criminals to spend more time preparing for attacks to be as disruptive as possible by stealing additional login details to move around the network and encrypt as many files and servers as possible. The more data that’s encrypted, the more likely a victim will need to pay the ransom. “Ransomware attacks have become more sophisticated as criminals spend more time inside the network researching the target and escalating their privileges in order to further compromise the infrastructure and get their hands on more data,” said the report. In addition to this, cyber criminals will steal data and threaten to publish it if the ransom isn’t paid. The use of these double extortion attacks has proven to be effective against organisations that don’t want sensitive information being made public. The paper also notes that some ransomware attacks have started to threaten victims with further disruption through DDoS attacks if they don’t pay the ransom. “Perpetrators continue to be increasingly ruthless and methodical in their modi operandi,” Europol said: ” In the past 12 months, the arsenal of coercion methods has expanded with cold-calling journalists, victims’ clients, business partners and employees. In addition, many of the most notorious ransomware affiliate programs deploy DDoS attacks against their victims to pressure them into complying with the ransom demand. SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterWhile ransomware and other cybercrime is still very much a significant problem for business there have also been some victories over the past year. The paper details how an international operation involving Europol, the FBI and others helped to take down the Emotet botnet, preventing cyber criminals from using Emotet as an entry point for ransomware attacks – even if they did eventually move onto other distribution methods.  “Worldwide operations, such as the successful takedown of Emotet botnet, have demonstrated the effectiveness of international cooperation,” said Europol’s executive director, Catherine De Bolle.”The collective response of our international law enforcement community is clear: the authorities and the private sector worldwide stand strong and ready to mitigate together any threat that blackmails the stability of our societies,” she added. MORE ON CYBERSECURITY More

A Microsoft Windows 10 app feature is being abused in a new phishing campaign spreading the BazarBackdoor malware. 

On Thursday, researchers from Sophos Labs said the attack was noticed after the cybersecurity firm’s own employees were targeted with spam emails — but rather than being run-of-the-mill, these emails were written with at least a basic level of social engineering.One of the emails, sent by a “Sophos Main Manager Assistant,” the non-existent “Adam Williams,” demanded to know why a researcher hadn’t responded to a customer’s complaint. To make resolution easier, the email helpfully contained a .PDF link to the message.  However, the link was a trap and revealed a “novel” technique used to deploy the BazarBackdoor malware.  Sophos says that the company is, at the least, “unfamiliar” with this method, in which the Windows 10 App installer process is exploited to deliver malicious payloads.  This is how it works: the phishing lure will direct potential victims to a website that uses the Adobe brand and asks users to click on a button to preview a .PDF file. However, if you hovered over the link, the prefix “ms-appinstaller” is displayed. 
Sophos
“In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft’s Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever’s on the other end of that link,” Sophos researcher Andrew Brandt explained. 

In turn, this link points to a text file, named Adobe.appinstaller, which then points to a larger file hosted on a separate URL, Adobe_1.7.0.0_x64appbundle.  A warning prompt then appears as well as a notice that the software has been digitally signed with a certificate issued several months ago. (Sophos has made the certificate authority aware of the abuse).  Victims are then asked to allow the installation of “Adobe PDF Component,” and if they grant permission, the BazarBackdoor malware is deployed and executed in a matter of seconds.  BazarBackdoor, akin to BazarLoader, communicates over HTTPS but is a distinctive malicious program due to the amount of noisy traffic the backdoor generates. BazarBackdoor is able to exfiltrate system data and has been linked to Trickbot, as well as the potential deployment of Ryuk ransomware.  “Malware that comes in application installer bundles is not commonly seen in attacks,” Brandt said. “Unfortunately, now that the process has been demonstrated, it’s likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

About 200,000 service members leave the military each year. For veterans who aren’t ready or don’t want to retire yet, the next mission is often the search for a civilian career. Many veterans have years of professional training and real-world experience in information technology and cybersecurity.The US alone had nearly 500,000 available cybersecurity positions in March 2021. Veterans from all military branches and career fields bring a wealth of skills and attributes to the table. These characteristics include leadership skills, teamwork, integrity, and maintaining composure under pressure. But veterans face challenges in entering the civilian workforce. Hurdles include networking with civilian job contacts and translating military experience and skills to civilian language and roles.If you’re a veteran, know someone who is, or are in a position to hire people for information technology or cybersecurity jobs, continue reading for guidance on how veterans can connect with civilian IT and cybersecurity opportunities.How can you prepare for a civilian career?In short: Start early. Retirement timeline and prepActive-duty military members can retire after 20 years. Service members on track for retirement or whose military contract is set to expire can begin the process 24 months ahead of their transition date. One year before transitioning, service members receive a pre-retirement information package. Allow yourself six months to assemble and submit all the required documentation. The military requires service members to participate in a Transition Assistance Program before leaving active duty. The federal departments of Defense, Veterans Affairs, Homeland Security, Education, and Labor, along with the Small Business Administration and the Office of Personnel Management, cooperate to support the TAP program. Translate your job title to civilian speak

The Army and Marine Corps call their job titles military occupational specialties (MOS). The Navy and Coast Guard call their job titles ratings, while the Air Force calls them Air Force Specialty Codes. The Space Force uses the Air Force system. Translating these roles and responsibilities into language civilians can understand is key to getting hired.All six service branches have IT and cybersecurity jobs with civilian equivalents. Several online sources, including the Disabled Veterans National Foundation and Military.com, have apps that allow you to plug in your military job code and see equivalent civilian job roles or job postings. O*NET is another valuable career transition resource. It’s sponsored by the Department of Labor and the Employment and Training Administration. The site helps current and former service members understand how their military job skills can be translated into a civilian career.Once you’ve identified job opportunities, next comes a task that many veterans find challenging: You need to explain your military job title, experience, and responsibilities in simple, civilian language.The executive director of American Corporate Partners, a nonprofit organization that provides career counseling for returning veterans and spouses of active duty service members, told The Muse that one way to translate military job experience to a civilian audience is to focus on your professional accomplishments. Highlighting individual achievements is better than simply listing job titles and duty assignments, which often don’t translate easily to a non-military audience. It’s also good to highlight transferable skills and rephrase military jargon into simpler terms.Hiring military veterans? An employer’s guideEmployers can connect with job-seeking military veterans by adopting several strategies. Here are some suggestions from employment websites, government organizations, and nonprofits:Learn the cultureIf you’re serious about hiring veterans, take some time to learn about the military. The military invests significant resources into training and indoctrinating its members. Service members learn to think, talk, and behave according to their service branch’s culture.When they leave the military, veterans often retain beliefs and behaviors learned in the military, which can make transitioning into a new civilian work culture difficult. A basic understanding of military culture, traditions, and organizational structure will set a good foundation for connecting with veterans. The Department of Veterans Affairs has several resources that explain military basics.Speak military languageMilitary jobs and culture are usually mission-oriented. One strategy to attract veterans is to write military-friendly job descriptions. To do this, the Department of Labor suggests writing job descriptions that are competency-based rather than experience-based. Other suggestions include highlighting problem-solving, strategic thinking, or leadership aspects of jobs. When reviewing veteran applicant resumes, hiring managers should be trained to know what to look for and how veterans’ experiences and attributes may be transferable into the civilian workplace.Advertise in the right placesStart by researching veteran-oriented employment groups and job boards. Keep your eyes open for veteran-oriented job fairs or events in your region. If you live in a community with a significant military presence, consider introducing yourself to local military community commanders. Military installations are increasingly open to partnering with civilian employers as part of supporting their members’ transition out of the military. Encouraging current employees with a military background to help with recruitment can go a long way toward building trust with veteran applicants. Form a veteran employee resource group Whether you’ve already got veterans working in your organization or you’re looking to make your first hire, consider starting a veterans group. By making the ERG open to all who want to support veterans hiring initiatives, you’ll gain some momentum and create community and collaboration. Similarly, veteran ERGs can be influential in shaping a workplace that is truly military friendly. Career resources and jobs for veteransReady to take the next step? Whether on college campuses or through various veteran service organizations, there are many nonprofit organizations, as well as local and state programs, that can help veterans find meaningful post-military careers. In addition, here are seven organizations that provide career and employment support for current members of the military, veterans, spouses, and those looking to hire veterans:Veterans Employment CenterThe VA Employment Center is a federal government resource that offers career and employment assistance for veterans and family members, along with connections to personalized education and career counseling.Veterans Employment ToolkitThe Veterans Employment Toolkit from the VA provides a variety of outside resources for employers, managers or supervisors, and human resource professionals. Hire Heroes USAHire Heroes USA works to help military members, veterans, and their spouses find civilian careers and succeed in the civilian workforce. With support from about 20 major companies, the organization maintains a free job board and sponsors virtual job fairs and training events.VeteratiBuilt by veterans for veterans, this digital platform facilitates mentoring and networking opportunities for current service members, people who are leaving the military, and their spouses. The platform allows you to choose your mentors from the ranks of CEOs, entrepreneurs, and other successful veterans.Warriors to WorkThis program provides veterans and their family members with job placement, resume writing assistance, interview preparation, and networking opportunities. The program also focuses on reducing the stigma around combat-related injuries and works to help companies retain veterans.Career One StopSponsored by the US Department of Labor, CareerOneStop features tools and career resources specifically for veterans. The resources include information about employment, training, education, and financial help after military service.FedsHireVetsThe federal Office of Personnel Management runs this FedsHireVet, which works to increase the number of transitioning military members, veterans, and their family members who are employed in the civil service. This article was reviewed by Dr. Michael J. KirchnerDr. Michael J. Kirchner is an assistant professor of organizational leadership at Purdue University Fort Wayne, where he teaches courses in leadership and human resource development. Dr. Kirchner also serves as the campus’ veteran resource center director. Previously, Kirchner oversaw the University of Wisconsin-Milwaukee’s Military and Veterans Resource Center, where he guided programming for the campus’ 1,500+ military-affiliated student population. Under his leadership (2013-2016), the campus built a nationally recognized “military-college-career” framework focusing on supporting student veteran transitions. Kirchner earned his Ph.D. in human resource development from the University of Wisconsin-Milwaukee. His research on career transitions and leadership development has been published in numerous peer-reviewed journals, including Human Resource Development Quarterly, Advances in Developing Human Resources, New Horizons in Adult Education and Human Resource Development, and Industrial and Commercial Training. Kirchner is also the founder and president of Time for Development LLC, where he provides consulting to organizations on military-friendly programming, human resource development strategy, and training design. He served for a year in Baghdad, Iraq, from 2004-2005 as part of the U.S. Army National Guard.Kirchner is a paid member of the Red Ventures Education freelance review network.  More

New research into the security posture of Europe’s top pharmaceutical giants has revealed concerning levels of vulnerabilities and weak spots in web applications. 

On Thursday, Outpost24 published new research that claims the top 10 pharmaceutical countries in the region are all failing to maintain a robust security posture — with 80% considered to be “critically exposed” to the risk of cyberattacks. According to the report, Outpost24’s “2021 Web Application Security for Healthcare,” EU pharmaceutical businesses often run large numbers of web applications and 3.3% of those scanned by the firm are deemed “suspicious,” including open test environments that should have been closed.  In addition, 18% of organizations analyzed are using outdated, unpatched web components that contain known vulnerabilities. US healthcare organizations have roughly the same amount of suspicious apps in operation but tend to run far fewer apps on the whole — however, 23.74% of them are outdated.
Outpost24
Over 200 EU pharmaceutical application forms noted in the report are operating without encryption, which puts users at risk of both the interception and theft of their information online. Outpost24 said that basic SSL failures, privacy policy misconfigurations, and cookie settings also feature as common security and compliance problems.  The damage a cyberattack can cause a healthcare or pharmaceutical company can be severe. The COVID-19 pandemic put a target on the back of many of these organizations, with an Oxford University lab with COVID-19 research links and the UK Research and Innovation organization being only two examples of recent victims of incidents leading to data theft and disruption. 

“As the attack surface and trade secrets that pharmaceutical organizations process become more pertinent, it will give threat actors more reasons and motivations to step up malicious attacks for profit and put public health at risk,” commented Nicolas Renard, Outpost24 security researcher. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The cybersecurity industry continues to have issues finding talent to fill all of the available roles. To address the problem, the Utah legislature is giving Utah Valley University (UVU) and Utah State University (USU) a $5 million grant. The goal is to build an academic pipeline that will prepare students to work in fields like cybersecurity, security analytics, and artificial intelligence. 

Utah has more than 4,000 unfilled tech jobs, and the grant is part of the state’s Deep Technology Talent Initiative (DTTI), which aims to expand academic tech programs and collaborate with local tech giants like Adobe, Northrup Grumman, and FireEye. Alongside the new programs at both schools, the companies will provide work experience for students through internships, capstones, and laboratory work. Both UVU’s Center for National Security Studies and USU’s Center for Anticipatory Intelligence are part of the Intermountain Intelligence, Industry and Security Consortium (I3SC), which hopes to equip students to fill roles in Utah’s “Silicon Slopes.””The next advancement in higher education requires us to play as a team. USU is excited to lead out alongside UVU in creating a leading-edge learning team — the I3SC consortium — that includes industry, state, and federal partners working together in unprecedented ways to prepare our graduates to be leaders in innovation, security, and resilience,” Jeannie Johnson, director of the Center for Anticipatory Intelligence at USU, told ZDNet.Through the DTTI, I3SC was awarded $5,013,900 to create a “multifaceted academic pipeline program” available to students at both institutions. The courses will cover a variety of topics including secure computing, artificial intelligence, security analytics, cybersecurity, anticipatory intelligence, and security studies.Thousands of students are already enrolled in tech programs at both schools, and the I3SC consortium’s goal is to build out a tech workforce that can handle the emerging threats from foreign governments, hackers, and other cybersecurity issues.”We’re at a critical point where the threat landscape presents challenges for companies at all levels. The need has never been greater for smart, experienced, and skilled professionals, and that is what we are building with our consortium,” said Ryan Vogel, director of the Center for National Security Studies at UVU.

Vogel added that they have already received a lot of interest from students across the STEM and policy disciplinary spectrum. “We need graduates ready to take jobs, professionals that are skilled and experienced. That’s our focus with this project: to meet this demand and exceed it, in cybersecurity and other technological areas,” Vogel said.  More

A North Korean hacking group has been attacking think tanks in the South through malware-laden blog posts. 

In a new campaign, tracked since June 2021, the state-sponsored advanced persistent threat (APT) group has been attempting to plant surveillance and theft-based malware on victim machines. On Wednesday, researchers from Cisco Talos said the Kimsuky APT, also known as Thallium or Black Banshee, is responsible for the wave of attacks, in which malicious Blogspot content is being used to lure “South Korea-based think tanks whose research focuses on political, diplomatic, and military topics pertaining to North Korea, China, Russia, and the US.” Specifically, geopolitical and aerospace organizations appear to be on the APT’s radar.  Kimsuky has been active since at least 2012. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory (.PDF) on the APT in 2020, noting that the state-sponsored group is tasked by the North Korean government with “global intelligence gathering.” Past victims have been located in South Korea, Japan, and the United States. AhnLab says that compensation forms, questionnaires, and research documents attached to emails have been used in the past as phishing lures, and in the campaign detected by Talos, malicious Microsoft Office documents are still a primary attack vector. Typically, malicious VBA macros are included in the documents, and when triggered, will download the payloads from Blogspot. 

According to the team, the blogposts deliver three types of malicious content based on the Gold Dragon/Brave Prince malware family: initial beacons, file stealers, and implant deployment scripts — the latter of which is designed to infect endpoints and launch further malware components, including a keylogger, information stealer, and a file injector module for website login credential theft. While some APTs will try to steal whatever content they can from an infected machine, Kimsuky has adopted a different approach. The threat actors will, instead, scan for files of particular interest to them.  This includes content related to North Korea, denuclearization, the relationships between the US, China, and Russia, as well as rocket designs, aviation fuel research, fluid mechanics, and material science.  “The attackers knew exactly which files they were looking for,” Talos commented. “This indicates that the attackers have a deep understanding of their targets’ endpoints, likely obtained from previous compromises.”The researchers informed Google of their findings and the malicious blog content has since been removed. However, this is unlikely to stop Kimsuky’s activities.   “Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea,” the researchers say. “This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage, and even destructive attacks against target organizations.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Major comic book company Diamond Comic Distributors is struggling to keep up with its planned shipments after being hit with a ransomware attack on Sunday. In a statement, the company said its planned shipments for Wednesday would be delayed about two to four days throughout the country due to the attack; reorders are expected to resume within the next 72 hours. The delays will also affect international retailers. The company said it was dealing with a ransomware attack affecting its order processing systems as well as its internal communications platforms.”Our IT department and a team of third-party experts are working around the clock to address these issues and restore full operations,” Diamond Comic Distributors said. “We want to assure you that customer data and financial information is not stored on our network, and as such, we have no reason to believe it has been impacted by this attack.”Based in Maryland, Diamond Comic Distributors said it was working with Agility Recovery to deal with the incident and added that law enforcement has been contacted.The company is one of the biggest print comic book distributors in the world, and hundreds of retailers depend on them for some of the biggest comics available. 

Josh Rickard, security solutions architect at cybersecurity firm Swimlane, said the attack was evidence that — even without the theft of customer or business data — ransomware groups could still cause significant damage. “Diamond Comic Distributors’ website has been temporarily taken down, and its ability to process customer orders has been disrupted, affecting not only Diamond Comic Distributors’ business and success, but also the other retailers it is responsible for selling several comic book publications to on a regular basis,” Rickard explained. More