Information Technology

A hacker-for-hire operation offered by cyber mercenaries has targeted thousands of individuals and organisations around the world, in a prolific campaign of financially driven attacks that have been ongoing since 2015.

ZDNet Recommends

Human rights activists, journalists, politicians, telecommunications engineers and medical doctors are among those who have been targeted by the group, which has been detailed by cybersecurity researchers at Trend Micro. They’ve dubbed it Void Balaur, after a multi-headed creature from Slavic folklore. The cyber-mercenary group has been advertising its services on Russian-language forums since 2018. The key services offered are breaking into email and social media accounts, as well as stealing and selling sensitive personal and financial information. The attacks will also occasionally drop information-stealing malware onto devices used by victims. See also: A winning strategy for cybersecurity (ZDNet special report). It doesn’t appear to matter who the targets are — as long as those behind the attacks get paid by their contractors. Only a handful of campaigns are run at any one time, but those that are being run command the full attention of Void Balaur for the duration.  “There will just be a dozen targets a day, usually less. But those targets are high-profile targets — we found government ministers, members of parliaments, a lot of people from the media and a lot of medical doctors,” Feike Hacquebord, senior threat researcher for Trend Micro told ZDNet, speaking ahead of the research being presented at Black Hat Europe. Some of those targeted include the former head of intelligence and five active members of the government in an unspecified European country.

The individuals and organisations being targeted are spread around the world, spanning North America, Europe, Russia, India and more. Many of the attacks appear to be politically motivated, carried out against people in countries where, if exposed, the victim could have their human rights violated by governments.  Like other malicious hacking campaigns, the entry point of many Void Balaur campaigns is phishing emails, which are tailored towards the chosen victim. However, the group also claims to offer the ability to gain access to some email accounts without any user interaction at all, offering this service at a premium rate compared with other attacks. The service relates to several Russian email providers and the research paper notes: “We have no reason to believe that it is not a real business offering”. Some of the campaigns go on for extended periods of time. For example, one targeting an unspecified large conglomerate in Russia was active from at least September 2020 to August 2021 and didn’t just target the owner of the businesses, but also their family members, and senior members of all the companies under the same corporate umbrella. “There’s a set of companies owned by one person and his family members were targeted, the CEOs of the companies were being targeted and that all happens over more than one year,” said Hacquebord. The hackers-for-hire target a wide range of victims in many industries at the behest of whoever is hiring their illicit services — but the key theme is that the targets are almost all organisations and individuals who have access to large amounts of sensitive data. For example, one campaign has targeted at least 60 IVF doctors. There’s a lot of sensitive information involved in healthcare, but there’s also a lot of money exchanged, so it’s possible the end goal of this particular Void Balaur contract was personal data, financial data, or both. See also: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes. Another campaign targeted senior engineers working for mobile phone companies, predominantly in Russia, but there were also targets in the West. These individuals would be useful to compromise for cyber-espionage campaigns. “If you’re able to compromise these engineers, you might be able to get a foothold in the company. You see the same for banks and fintech — key people are being targeted. These people have a lot of access to information, it matches the offerings of Void Balaur,” said Hacquebord. Researchers haven’t attributed Void Balaur to any one particular country or region, but note that the attackers work long hours, starting around 6am GMT and going through until 7pm GMT. Those working for the group seem to be active seven days a week and rarely take holidays – potentially indicating the vast demand for their services. “Cyber mercenaries is an unfortunate consequence of today’s vast cybercrime economy,” said Hacquebord “Given the insatiable demand for their services and harbouring of some actors by nation-states, they’re unlikely to go away anytime soon. The best form of defence is to raise industry awareness of the threat in reports like this one and encourage best practice cybersecurity to help thwart their efforts,” he added. In order to protect against hacking campaigns by cyber mercenaries and other malicious cybercriminals, researchers at Trend Micro recommend using multi-factor authentication to protect email and social media accounts — and to use an app or physical key rather than a one-time SMS passcode, which could be exploited by attackers. It’s also recommended that people use email services from a reputable provider with high privacy standards and that encryption should be used for as many communications as possible.
More on cybersecurity More

A new report from Mimecast has found that the US leads the way in the size of payouts following ransomware incidents. In the “State of Ransomware Readiness” study from Mimecast, researchers spoke with 742 cybersecurity professionals and found that 80% of them had been targeted with ransomware over the last two years. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Of that 80%, 39% paid a ransom, with US victims paying an average of $6,312,190. Victims in Canada paid an average of $5,347,508 while those in the UK paid nearly $850,000. Victims in South Africa, Australia, and Germany all paid less than $250,000 on average.More than 40% of respondents did not pay any ransom, and another 13% were able to negotiate the initial ransom figure down. Of the 742 experts who spoke to Mimecast, more than half said the primary source of ransomware attacks came from phishing emails with ransomware attachments, and another 47% said they originated from “web security.” Phishing emails that led to drive-by downloads were also a highly-cited source of ransomware infections. Less than half of respondents said they have file backups that they could use in the event of a ransomware attack, and almost 50% said they needed bigger budgets to update their data security systems. Also: What is malware? Everything you need to know about viruses, trojans, and malicious software

Despite the lack of backups, 83% of those surveyed said they could “get all their data back without paying the ransom.” Another 77% of executives said they believed they could get their company back to normal within two days following a ransomware incident. This confused Mimecast researchers, considering nearly 40% of respondents admitted to paying ransoms. A number of respondents called for more training and more information-sharing about threats. “Ransomware attacks have never been more common, and threat actors are improving each day in terms of their sophistication and ease of deployment,” said Jonathan Miles, head of strategic intelligence & security research at Mimecast. “Preparation is key in combating these attacks. It’s great to see cybersecurity leaders feel prepared, but they must continue to be proactive and work to improve processes. This report clearly shows ransomware attacks pay, which gives cybercriminals no incentive to slow down.”Ransomware incident costs stretch far beyond the ransom itself; 42% of survey respondents reported a disruption in their operations, and 36% said they faced significant downtime. Almost 30% said they lost revenue, and 21% said they lost customers. Another cost? Almost 40% of the cybersecurity professionals surveyed said they believed they would lose their jobs if a ransomware attack was successful.Two-thirds of respondents said they would “feel very or extremely responsible if a successful attack occurred. When asked why, almost half said it would be because they “underestimated the risk of a ransomware attack.” More

You know the non-profit Internet Security Research Group (ISRG) for its Let’s Encrypt certificate authority, the most popular way of securing websites with TLS certificates. The group wants to do more. Its newest project, Prossimo, seeks to make many basic internet programs and protocols memory-safe by rewriting them in Rust.

Rust, like some other memory-safe programming languages such as Go and Java, prevents programmers from introducing some kinds of memory bugs. All too often memory safety bugs go hand-in-hand with security issues. Unfortunately, much of the internet’s fundamental software is written in C, which is anything but memory safe. Of course, you can write memory-safe programs in C or C++, but it’s difficult. Conversely, you can create memory bugs in Rust if you try hard enough, but generally speaking Rust and Go are much safer than C and C++.Also: The most popular programming languages and where to learn themThere are many kinds of memory safety bugs. One common type is out-of-bounds reads and writes. In these, if you wrote code to track a to-do list with 10 items in C without memory protection measures, users could try to read and write for an 11th item. Instead of an error message, you’d read or write to memory that belonged to another program. In a memory-safe language, you’d get a compile error or crash at run time. A crash is bad news too, but it’s better than giving a hacker a free pass into some other’s program memory. Using that same example, what happens if you delete the to-do list and then ask for the list’s first item? A badly written program in a non-memory-safe language will try to fetch from the old memory location in what’s called a use-after-free error. This trick is used all the time to steal data and wreak havoc on a poorly secured program. Again, with Rust or Go, you must go far out of way to introduce such a blunder. As ISRG’s executive director, Josh Aas, explained in a speech at the Linux Foundation Membership Summit: We’ve only started talking about security seriously recently. The problem is mainly C and C++ code. That’s where these vulnerabilities are coming from. New memory safety vulnerabilities come up in widely used software every day. I think it’s fair to say that this is out of control. 90% of vulnerabilities in Android; 70% from Microsoft and 80% of zero-day vulnerabilities come from old language memory-based. There are real costs to this stuff every day people get hurt.

Why are they doing this now? Because, Aas explained, “We didn’t have great system languages to replace C. Now, we have that option.”So it is that under the Prossimo umbrella, ISRG is sponsoring developers to create memory-safe versions of internet programs. So far this includes a memory-safe TLS library, Hyper, and module, mod_tls, for the Apache webserver; a memory-safe curl data transfer utility; and memory-safe Rustls, a safer OpenSSL alternative.Next up, Prossimo wants to give Network Time Protocol (NTP) the memory-safe treatment. For now, though, this NTP project lacks funding. Of course, replacing critical C-based programs throughout the internet is a gigantic and complex task. But it’s a job that must be done as we grow ever more dependent on the internet for our personal lives, business work, and indeed the entire global economy. Related Stories: More

Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. 

Products impacted by November’s security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.   Read on: Some of the most interesting vulnerabilities resolved in this update, all deemed as important, are: CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE. CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes. CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.According to the Zero Day Initiative (ZDI), historically, this is a relatively low number of vulnerabilities resolved during the month of November.”Last year, there were more than double this number of CVEs fixed,” the organization says. “Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors.”

Last month, Microsoft resolved 71 bugs in the October batch of security fixes. Of particular note are patches for a total of four zero-day flaws, one of which was being actively exploited in the wild, whereas three were made public. A month prior, the tech giant tackled over 60 vulnerabilities during the September Patch Tuesday. Among the patches was a fix for an RCE in MSHTML.In recent Microsoft news, Visual Studio 2022 and .NET 6 were made generally available on November 8. Visual Studio 2022 includes a refresh of some features as well as debug improvements for developers. .NET 6 includes performance enhancements and is the first version able to support both Windows Arm64 and Apple Arm64 Silicon.Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

One of my favorite parts of our annual predictions process is reviewing the accuracy of Forrester’s predictions from the previous year. This is not simply navel gazing. Looking backward actually makes us far better predictors, keeps us firmly grounded in the reality of our customers, and ensures that our predictions remain firmly embedded in reality. Some teams within Forrester even have a rating system, ranging from “completely missed the mark” to “nailed it.” I won’t lie that it is an absolute thrill when a prediction I’ve contributed to comes true, especially when it has the potential to positively impact our clients, the industry, or even society as a whole. Twelve months ago, we predicted that at least one Asia Pacific (APAC) government would embrace a Zero Trust (ZT) framework in the coming year. In keeping with our rating system, I’m happy to say we nailed it! Since 2009, when ZT was coined by Forrester, large technology companies have adopted it as their security model, and now the US federal government is following suit. In Europe, ZT went from concept to reality for many firms during 2020 and then accelerated in 2021 as COVID-19 hastened the death of traditional security models across the region. Unfortunately, APAC has been a very different story. ZT adoption has been slow; according to the Forrester Analytics Business Technographics® Security Survey, 2021, only 13% of security leaders in APAC cite Zero Trust as a top strategic information/IT security priority. While ZT is slowly gaining momentum in the Asia Pacific region, it faces many adoption challenges: concerns over the nomenclature, paucity of ZT pioneers, under-resourced security teams. With all these challenges in play, predicting that an APAC government would embrace a ZT framework in 2021 was a bold call, indeed. Why’d we make it? We fully expected ZT momentum to accelerate for a number of reasons: 1) the shift to remote work requires a new approach to security; 2) the evolving regulatory landscape across APAC has increased focus on data protection; 3) Forrester Analytics survey data shows that APAC consumers and citizens are prioritizing security and privacy in their purchasing decisions; and 4) the release of the US’s National Institute of Standards and Technology’s publication on ZT architecture, which further validated the approach. I’ve led multiple APAC CISO roundtables on the topic of Zero Trust over the past 12 months. While participants were supportive of the prediction in principal, they were also skeptical — there were no indications in the media or elsewhere to support such a big call. And then in October, exactly one year after we made the prediction, Singapore Senior Minister and Coordinating Minister for National Security Teo Chee Hean announced Singapore’s new cybersecurity strategy. The strategy was supported by Prime Minister Lee Hsien Loong, who acknowledged in the strategy foreword: “Five years ago, we launched the first Singapore Cybersecurity Strategy. The world is now a different place,” noting the need for a new way of thinking about security. The new Singaporean cybersecurity strategy clearly defines ZT as “[a] security framework requiring all end users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.” The strategy endorses a mindset shift from perimeter defense toward a ZT cybersecurity model, encourages critical infrastructure owners to adopt a ZT cybersecurity posture for critical systems, and states that the government is implementing the Government Trust-based Architecture that translates ZT principles to government context. Looking to the future, we will continue to make important predictions about the state of Zero Trust adoption, particularly in governments. In fact, in our 2022 public sector predictions, we make the call that five governments will adopt Zero Trust to revive public trust in digital services, following the lead of the US and Singapore.  

For more regional insight beyond ZT, check out Forrester’s 2022 Asia Pacific predictions, where trust and values take center stage. We look forward to assessing how we fared this time next year.This post was written by Principal Analyst Jinan Budge, and it originally appeared here. More

Critical vulnerabilities in millions of connected devices used in hospital networks could allow attackers to disrupt medical equipment and patient monitors, as well as Internet of Things devices that control systems and equipment throughout facilities, such as lighting and ventilation systems.

ZDNet Recommends

The vulnerable TCP/IP stacks – communications protocols commonly used in connected devices – are also deployed in other industries, including the industrial sector and the automotive industry. The 13 newly disclosed vulnerabilities in Nucleus Net TCP/IP stacks have been detailed by cybersecurity researchers at Forescout and Medigate. Dubbed Nucleus:13, the findings represent the final part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks used in connected devices and how to mitigate them. SEE: A winning strategy for cybersecurity (ZDNet special report)  The vulnerabilities could be present in millions of devices based around Nucleus TCP/IP stacks and could allow attackers to engage in remote code execution, denial of service attacks and even leak data – although researchers can’t say for certain if they’ve actively been exploited by cyber criminals. Now owned by Siemens, the Nucleus TCP/IP stack was originally released in 1993 and is still widely used in critical safety devices, particularly in hospitals and the healthcare industry where they’re used in anaesthesia machines, patient monitors and other devices, as well as for building automation systems controlling lighting and ventilation. Of the three critical vulnerabilities identified by researchers, CVE-2021-31886 poses the greatest threat, with a Common Vulnerability Scoring System (CVSS) score of 10 out of 10. It’s a vulnerability in (File Transfer Protocol) FTP servers that doesn’t properly validate the length of user commands, leading to stack-based buffer overflows that can be abused for denial-of-service and remote code execution.

The remaining two critical vulnerabilities both have a CVSS score of 9.9. CVE-2021-31887 is a vulnerability in FTP servers that doesn’t properly validate the length of PWD or XPWD FTP server commands, while CVE-2021-31888 is a vulnerability that occurs when the FTP server doesn’t properly validate the length of MKD or XMKD FTP commands. Both can result in stack-based buffer overflows, allowing attackers to begin denial-of-service attacks or remotely launch code. Because the stacks are so common, they are easy to identify and target. It’s also possible to find some of the connected devices on IoT search engine Shodan – and if they are publicly facing the internet, it’s possible to launch remote attacks. This is why researchers decided to examine them specifically. “We found some promotional material for the stack that mentions using this for medical applications,” Daniel dos Santos, research manager at Forescout Research Labs, told ZDNet. “Then when you look at some of the data promoting medical devices, they mention the use of the stack directly.” Attackers would need to jump through a number of steps, detailed extensively in the paper, to fully exploit the vulnerabilities. But, as long as they exist, that potential is there – along with the potential for disruption. In hospitals, not only could this affect machines used for patient care, systems in the building such as alarms, lighting and ventilation could be affected. Organisations are recommended to apply the available security patches released by Siemens in order to mitigate the threat. “All vulnerabilities that are being disclosed on Nov 9th have been fixed in the corresponding latest fix releases of active Nucleus version lines,” a Siemens spokesperson told ZDNet.  Researchers also suggest that networks should be segmented in order to limit the exposure of any devices or software that could contain vulnerabilities, but can’t be patched. “Make sure that you know your network, so even if devices are not patched and you know that probabilities exist, you can still live with a network configuration that lets you sleep at night,” said dos Santos.

“The main thing is network segmentation and being able to know and to make sure that devices that are potentially vulnerable and maybe can’t be patched are contained, and can only talk to other devices they’re allowed to.” SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report)  Nucleus:13 represents the final part of Forescout’s Project Memoria, which has worked to uncover and, when possible, help to patch security vulnerabilities in devices, which in some cases are decades old – designed at a time far before the rise of the Internet of Things was even predicted. “Many of these pieces of software are 20, 30 or even more years old. Unfortunately, that means that they were designed in a different age for different requirements and they’re just not up to date with security nowadays,” said dos Santos. “Many of these vulnerabilities are kind of predictable in the sense that they’re repeated over and over again over different pieces of software,” he added. The aim of the year-long project has been to showcase the vulnerabilities in older devices and to push for connected devices to be built with IoT security in mind – and to prevent the same old vulnerabilities causing problems moving forward, particularly as the use of IoT devices continues to grow. “The expanded adoption of these types of technology by every type of organization, and their deep integration into critical business operations, will only increase their value for attackers over the long term,” warns the report.
MORE ON CYBERSECURITY More

Microsoft has sent an alert about a sophisticated Chinese hacker group targeting an obscure bug in Zoho software to install a webshell.

ZDNet Recommends

Microsoft Threat Intelligence Center (MSTIC) has detected exploits targeting systems running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution, with the remote code execution bug tracked as CVE-2021-40539. Zoho is best known as a popular software-as-a-service vendor, while ManageEngine is the company’s enterprise IT management software division. It’s a targeted malware campaign, so most Windows users shouldn’t need to worry about it, but Microsoft has flagged the campaign, which it first observed in September, because it’s aimed at the US defence industrial base, higher education, consulting services, and IT sectors. See also: Ransomware: It’s a ‘golden era’ for cybercriminals – and it could get worse before it gets better. MSTIC attributes the activity to a group it is tracking as DEV-0322, which also targeted a zero-day flaw in SolarWinds Serv-U FTP software. The US government attributed an earlier software supply chain attack on SolarWinds to Kremlin-backed intelligence hackers. Palo Alto Networks Unit 42 observed the same Chinese group scanning ManageEngine ADSelfService Plus servers from mid-September to early October.  The bug concerns a REST API authentication bypass that can lead to remote code execution in vulnerable devices. 

Microsoft fleshes out some details on the latest activity of the group’s use of the Zoho bug, which relied on the Godzilla webshell payload. Webshells are generally considered a problem because they can survive a patch on the underlying OS or software.  It notes that the group was involved in “credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.” See also: Ransomware: Industrial services top the hit list – but cybercriminals are diversifying. The attack group also deployed a Trojan Microsoft calls Trojan:Win64/Zebracon, which uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers. “Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via an HTTP response. This allows attackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it,” notes Palo Alto Networks. More

Researchers have provided a deep dive into the activities of Lyceum; an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.According to a report published on Tuesday by Accenture Cyber Threat Intelligence (ACTI) and Prevailion Adversarial Counterintelligence (PACT), between July and October this year, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia.  In addition, the APT is responsible for a campaign against an African ministry of foreign affairs.  The cybersecurity teams say that several of the “identified compromises” remain active at the time of publication.  Lyceum’s initial attack vectors include credential stuffing attacks and brute-force attacks. According to Secureworks, individual accounts at companies of interest are usually targeted — and then once these accounts are breached, they are used as a springboard to launch spear-phishing attacks against high-profile executives in an organization. The APT appears to be focused on cyberespionage. The report suggests that not only do these attackers seek out data on subscribers and connected third-party companies, but once compromised, “threat actors or their sponsors can also use these industries to surveil individuals of interest.”

Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James). Both are backdoors; Shark, a 32-bit executable written in C# and .NET, generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan — a 32-bit Remote Access Trojan (RAT) retrieves data. Both are able to communicate with the groups’ command-and-control (C2) servers.  The APT maintains a C2 server network that connects to the group’s backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.  The backdoor malware families have previously been disclosed by ClearSky and Kasperksy (.PDF). The ACTI/PACT researchers recently found a new backdoor similar to newer versions of Milan, which sent beacons linked to potential attacks against a Tunisian telecoms company and a government agency in Africa. “It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator,” the researchers say. “However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More