Information Technology

Despite the arrest of individuals connected with the spread of the Mekotio banking Trojan, the malware continues to be used in new attacks. 

On Wednesday, Check Point Research (CPR) published an analysis on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru — and is now back with new tactics for avoiding detection. In October, law enforcement made 16 arrests in relation to Mekotio and the Grandoreiro Trojans across Spain. The suspects allegedly sent thousands of phishing emails to distribute the Trojan, then used to steal banking and financial service credentials.  Local media reports suggest that 276,470 euros were stolen, but transfer attempts — thankfully, blocked — worth 3,500,000 euros were made.  CPR researchers Arie Olshtein and Abedalla Hadra say that the arrests only managed to disrupt distribution across Spain, and as the group likely collaborated with other criminal outfits, the malware continues to spread.  Once the Spanish Civil Guard announced the arrests, Mekotio’s developers, suspected of being located in Brazil, rapidly rehashed their malware with new features designed to avoid detection.  Mekotio’s infection vector has stayed the same, in which phishing emails either contain links to or have a malicious .ZIP archive attached that contains the payload. However, an analysis of over 100 attacks taking place in recent months has revealed the use of a simple obfuscation method and a substitution cipher to circumvent detection by antivirus products. 

In addition, the developers have included a batch file redesigned with multiple layers of obfuscation, a new PowerShell script that runs in memory to perform malicious actions, and the use of Themida — a legitimate application to prevent cracking or reverse engineering — to protect the final Trojan payload.  Once installed on a vulnerable machine, Mekotio will attempt to exfiltrate access credentials for banks and financial services and will transfer them to a command-and-control (C2) server controlled by its operators.  “One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection,” the researchers say. “CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s Information Commissioner has found that Clearview AI breached Australia’s privacy laws on numerous fronts, after a bilateral investigation uncovered that the company’s facial recognition tool collected Australians’ sensitive information without consent and by unfair means. The investigation, conducted by the Office of the Australian Information Commissioner (OAIC) and the UK Information Commissioner’s Office (ICO), found that Clearview AI’s facial recognition tool scraped biometric information from the web indiscriminately and has collected data on at least 3 billion people. The OAIC also found that some Australian police agency users, who were Australian residents and trialled the tool, searched for and identified images of themselves as well as images of unknown Australian persons of interest in Clearview AI’s database.By considering these factors together, Australia’s Information Commissioner Angelene Falk concluded that Clearview AI breached Australia’s privacy laws by collecting Australians’ sensitive information without consent and by unfair means. In her determination [PDF], Falk explained that consent was not provided, even though facial images of affected Australians are already available online, as Clearview AI’s intent in collecting this biometric data was ambiguous.”I consider that the act of uploading an image to a social media site does not unambiguously indicate agreement to collection of that image by an unknown third party for commercial purposes,” the Information Commissioner wrote. “Consent also cannot be implied if individuals are not adequately informed about the implications of providing or withholding consent. This includes ensuring that an individual is properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent.”Read more: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailed

Other breaches of Australia’s privacy laws found by Falk were that Clearview AI failed to take reasonable steps to either notify individuals of the collection of personal information or ensure that personal information it disclosed was accurate. She also slammed the company for not taking reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles. These breaches were due to Clearview AI removing access to an online form for Australians to opt out from being searchable on the company’s facial recognition platform. The form itself also contained privacy issues as it required Australians to submit a valid email address and an image of themselves which would then be converted into an image vector, which Falk said allowed Clearview AI to collect additional information about Australians.The form was created at the start of 2020, but now Australians can only make opt-out requests via email, Falk said. After making these findings, Falk has ordered Clearview AI to destroy existing biometric information it has collected from Australia. She has also ordered for the company to cease collecting facial images and biometric templates from individuals in Australia. “The covert collection of this kind of sensitive information is unreasonably intrusive and unfair,” Falk said. “It carries significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI’s database.” Despite the investigation being finalised, the exact number of affected Australians is unknown. Falk expressed concern that the number was likely to be very large given that it may include any Australian individual whose facial images are publicly accessible on the internet.Providing an update on another Clearview AI-related investigation, Falk said she was currently in the process of finalising a separate investigation into the Australian Federal Police (AFP) trialling Clearview AI’s facial recognition tool.In April last year, the AFP admitted to trialling the Clearview AI platform from October 2019 to March 2020. State police from Victoria and Queensland also trialled the tool, with all three law enforcement agencies admitting to successfully conducting searches using facial images of individuals located in Australia with the tool. Falk said she would provide a determination regarding whether the AFP breached the Australian Government Agencies Privacy Code to assess and mitigate privacy risks soon. Related Coverage More

Global tech giant Yahoo has pulled the plug on its services from China, blaming “increasingly challenging” operating environment.”In recognition of the increasingly challenging business and legal environment in China, Yahoo’s suite of services will no longer be accessible from mainland China as of November 1,” the company said in a statement, according to Wall Street Journal. The company added it “remains committed to the rights of our users and a free and open internet”.The move by Yahoo follows Microsoft last month announcing it was shutting down LinkedIn in China. It too cited challenges of keeping up with the country’s compliance demand for its reason for leaving the market. “While we’ve found success in helping Chinese members find jobs and economic opportunity, we have not found that same level of success in the more social aspects of sharing and staying informed,” said LinkedIn senior vice president of engineering Mohak Shroff, in a company blog post.”We’re also facing a significantly more challenging operating environment and greater compliance requirements in China,” wrote Shroff. “Given this, we’ve made the decision to sunset the current localized version of LinkedIn, which is how people in China access LinkedIn’s global social media platform later this year.”This, however, is not the first attempt by Yahoo to leave China. Over the years, it has been slowly pulling out services, such as its email services and its Beijing research and development centre.

The departures from China comes as the country reportedly warned local companies in July it would tighten oversight of data security. The country’s Personal Information Protection Law (PIPL) came into effect on Monday. It lays out ground rules around how data is collected, used, and stored. It also outlines data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities. Multinational corporations that move personal information out of the country also will have to obtain certification on data protection from professional institutions, according to the PIPL. The PIPL also applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. The Chinese government previously said the new law was necessary to address the “chaos” data had created, with online platforms over-collecting personal data.More from China More

On Tuesday, Microsoft announced the upcoming release of Microsoft Defender for Business, a new security tool that will soon be available for preview. In a blog post, Microsoft 365 product marketing manager Jon Maunder said the tool is “specially built to bring enterprise-grade endpoint security to businesses with up to 300 employees, in a solution that is easy-to-use and cost-effective.”Once the tool is available, customers will be able to buy the platform directly from Microsoft as a standalone offering costing $3 per user per month.Maunder noted that Microsoft was prompted to create the platform because of a 300% increase in ransomware attacks in the last year. More than 50% of attacks are able to reach small businesses, according to Microsoft data. “Defender for Business elevates security from traditional antivirus to next-generation protection, endpoint detection and response, threat and vulnerability management, and more. It offers simplified configuration and management with intelligent, automated investigation and remediation. Defender for Business helps you to protect against cybersecurity threats including malware and ransomware across Windows, macOS, iOS, and Android devices,” Maunder said. The platform covers everything from threat and vulnerability management to misconfiguration remediation, attack surface reduction, antimalware and antivirus protection. It also comes with endpoint detection and response, manual response actions, automated investigation features and more. 

Maunder explained that no “specialist security knowledge is required” to install and handle the platform. “The product includes simplified client configuration with wizard-driven set up and recommended security policies activated out-of-the-box, allowing you to quickly secure devices. Easy-to-use management controls and actionable insights help you to save time and prioritize tasks,” Maunder said. “Defender for Business is designed to deliver maximum security value at a price point that works for your business. The simplicity of it allows you to onboard and manage endpoint security with low operational overhead, and less burden to learn complex cybersecurity concepts to get your business secured.” 
Microsoft
The tool will work regardless of if your email and productivity tools are on-premises, Microsoft 365, or are other solutions, he added. It will be included as part of Microsoft 365 Business Premium accounts and can be integrated with Microsoft 365 Lighthouse. Microsoft announced in April that its preview for its advanced security product Microsoft Defender for Endpoint supports unmanaged devices running Windows, Linux, macOS, iOS and Android as well as network devices.Last month, Microsoft unveiled a new suite of tools built to protect nonprofits as threats against philanthropic organizations globally have skyrocketed, particularly from nation-states.  More

The FBI has released a new report saying ransomware groups are increasingly using “significant financial events” as leverage during their attacks.According to the FBI, ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms. “Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI wrote. “Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims. Ransomware is often a two-stage process beginning with an initial intrusion through a trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access.” The FBI noted that while ransomware groups indiscriminately distribute malware, they often carefully select their victims based on the information they get from initial intrusions.  The gangs search for non-public information and then threaten companies by saying they will release the documents ahead of important financial events, hoping the pressure will prompt victims to pay ransoms. The groups look for data or information that they know will affect a company’s stock price and “adjust their timeline for extortion,” the FBI found. 

The law enforcement agency highlighted multiple instances where ransomware actors themselves urged others to use the NASDAQ stock exchange as a sort of bellwether for the extortion process. The FBI said it found a post from a well-known ransomware actor named “Unknown” in Exploit — a popular Russian hacking forum — urging other ransomware groups to follow this method.In the notice, the FBI shared a direct quote from a ransomware group negotiating with a victim in March 2020.”We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna (sic) happen with your stocks,” the group told the victim during the negotiation. The FBI noted that from March to July in 2020, at least three publicly traded US companies were attacked by ransomware groups as they were going through the process of a merger and acquisition.Two of the three were negotiating the financial deals privately, indicating the ransomware groups had gained access to confidential data. “A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near future stock share price. These keywords included 10-q, 10-sb, n-csr, nasdaq, marketwired, and newswire,” the FBI explained. The FBI shared another message from Darkside ransomware actors in April that said, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges.” “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information,” the ransomware group wrote on its blog.Recorded Future’s Allan Liska told ZDNet that what the FBI is describing has been going on for a while. He noted that REvil specifically discussed using stock valuation and merger activity as extortion techniques during ransomware attacks and the DarkSide ransomware group did the same thing. “However, what the FBI is reporting is an escalation of these tactics. We know that ransomware groups monitor news stories closely, it sounds like they are now using information gathered from the news to target specific companies during financially sensitive times (such as a merger or public offering),” Liska said.”Outside of a few industries, we aren’t used to thinking of ransomware attacks as ‘targeted,’ in a traditional sense. But, if the FBI report is accurate, ransomware groups are going after specific companies during this periods. If I were a company planning for IPO or a merger, I would closely monitor underground forums for stolen credentials and ensure that I am being extra cautious about security during that period.”A recent study from Comparitech showed that ransomware attacks do have some temporary effect on the stock price and financial health of companies.The study showed that right after a ransomware attack, the share prices of a company fell 22% on average. But the report found that the dip often lasts anywhere from one day to 10 days. In the end, the report said most ransomware attacks did not have a big effect on victim companies.”Despite data loss, downtime, and possibly paying a ransom or fine or both, share prices for attacked companies continue to outperform the market following a very brief drop. Even cybersecurity firms themselves seem insulated from any prolonged dip in share price when their own cybersecurity fails in the face of a ransomware attack,” Comparitech’s Paul Bischoff said. “The exception is Ryuk ransomware, which had a more severe negative impact on share price than other types of ransomware. Data breaches have a larger and lengthier negative impact on share price than ransomware, according to our other study, but only marginally so. And bear in mind that these two attacks are often combined.”Ransomware expert and Emsisoft threat analyst Brett Callow told ZDNet that ransomware actors use every bit of leverage they can possibly get — whether that’s using bots to promote their attacks on Twitter, doing press outreach, contacting customers or, per this alert, using non-public information obtained during the reconnaissance phase of attacks to further pressure victims. “We’ve also seen incidents in which actors appeared to have delayed encrypting compromised networks until it was closer to the time of a significant event. None of this is surprising,” Callow said. “The gangs’ tactics have become progressively extreme over the last couple of years and, unfortunately, that’s not likely to change any time soon.” More

“LFX supports projects and empowers open source teams by enabling them to write better, more secure code, drive engagement, and grow sustainable software ecosystems,” the Linux Foundation says. Now, to address the growing threat of software supply chain attacks, the foundation is upgrading its LFX Security module to deal with these attacks.

Open Source

Jim Zemlin, the Linux Foundation’s executive director, announced this new tooling today at the Linux Foundation Membership Summit. Enhanced and free to use, LFX Security makes it easier for open source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing automated vulnerability detection capabilities. Software security firm BluBracket is contributing this functionality to the LFX as part of its mission to make software safer and more secure. This functionality builds on contributions from open source developer security company Snyk, helping make LFX the leading vulnerability detection platform for the open source community.LFX Security now includes:Vulnerabilities Detection: LFX tracks how many known vulnerabilities have been found in open source programs; identifies vulnerabilities that have already been fixed; and then reports on the number of fixes per project through an intuitive dashboard. Fixing known open source vulnerabilities in open source projects helps cleanse software supply chains at their source, greatly enhancing the quality and security of code further downstream in development pipelines. Snyk provides this functionality for the community and has helped open source software projects remediate nearly 12,000 known security vulnerabilities in their code.Code Secrets Detection: BluBracket’s contributions detect secrets-in-code, such as passwords, credentials, keys, and access tokens both pre-and post-commit. Left untouched, these secrets are used by hackers to gain entry into repositories and other important code infrastructure. Non-Inclusive Language Detection: BluBracket’s contributions also include the ability to detect non-inclusive and offensive language in project code. This language, which may have been accepted in earlier generations, is no longer a joke. It can stop users/developers from using the code and ultimately serves as a barrier to creating a welcoming and inclusive community. BluBracket worked with the Inclusive Naming Initiative on this functionality.”It’s up to all of us to secure our software supply chain, and we are grateful to Snyk and BluBracket for their significant contributions to the open-source community,” Zemlin said during the membership summit.

“We believe the Linux Foundation’s LFX Security project is the absolute best way for critical software projects to secure their code… We know that LFX Security will greatly enhance our software supply chain’s security, and we look forward to working with the community to keep code safe,” Prakash Linga, BluBracket’s founder and CEO, added.LFX Security will be further scaled out in 2022, helping to solve challenges for hundreds of thousands of critical open source projects under the Open Source Security Foundation. LFX Security is free and available now.Related Stories: More

CISA has published a trove of information about election cybersecurity and misinformation for Election Day. Voters in dozens of states are heading to the polls today, with crucial gubernatorial races in New Jersey and Virginia as well as pivotal mayoral elections in Atlanta, New York City, Buffalo and Boston.The cybersecurity body reiterated that there is “no specific, credible threat to election infrastructure” but noted that they are “ready to provide cyber incident response and expertise if needed.”CISA created an “Election Security Rumor vs Reality” page to debunk rumors and misinformation that float around the internet. The agency has been forced to address numerous conspiracy theories and misinformation — sometimes from elected officials themselves — since the 2020 presidential election. CISA said that with more than 30 states voting on a variety of positions and referendums, they decided to host an election situational awareness room that allows them to “coordinate with federal partners, state and local election officials, private sector election partners, and political organizations to share real-time information and provide support as needed.””CISA has supported state and local election officials to help secure their systems and push back against malicious actors seeking to disrupt our democratic process and interfere in our elections,” CISA election security initiative director Geoff Hale said. “We look forward to continuing this work in collaboration with our election partners to ensure the security and resilience of elections in 2021 and beyond.”This will be the first election held under the watch of new CISA director Jen Easterly, who urged people to visit the CISA website “to help debunk election security mis-, dis-, and malinformation that aims to undermine public confidence in the electoral process.”

Election security has been a contentious issue in the US since the 2016 election. Multiple US intelligence agencies confirmed that the Russian government, and others, launched a variety of attacks on election security systems alongside efforts to spread disinformation.  The FBI was forced to release new guidelines in 2020 on how it will approach cyberattacks on elections after facing years of criticism from lawmakers across the country for their response to the Russian intrusion attempts during the 2016 election.The Senate Intelligence Committee concluded in 2019 that election systems in all 50 states were targeted by Russia in 2016. No votes were changed but state officials, particularly those in Florida, were incensed when the Mueller Report revealed that two county voting databases were breached by Russian hackers ahead of the 2016 election.The FBI never told state-level officials and only coordinated with people in the counties that had been hit, waiting nearly two years until meeting and explaining the situation to Florida Gov. Ron DeSantis. More

IBM announced plans to acquire endpoint security company ReaQta on Tuesday, expanding its footprint in the extended detection and response (XDR) market. IBM said ReaQta’s tools use AI to “automatically identify and manage threats” while staying hidden from cyberattackers. The technology giant said the acquisition was part of a larger announcement about the expansion of its QRadar brand, which will now include a new suite of XDR offerings. Mary O’Brien, general manager at IBM Security, said the complexity of modern computer systems had “created a cloak” that allowed cybercriminals and nation states to get around security systems. “The future of security is open, using technologies that can connect the security insights that are buried across disparate tools and advanced AI to identify and automatically respond to threats more quickly across their entire infrastructure, from endpoint to cloud,” O’Brien said. “With our expanded capabilities via QRadar XDR and the planned addition of ReaQta, IBM is helping clients get ahead of attackers with the first XDR solution that reduces vendor lock-in via the use of open standards.”The QRadar XDR platform is designed to provide “comprehensive visibility” across IBM’s slate of security tools and data sources. ReaQta’s tools will help offer clients “continuous monitoring and rapid response as part of a zero trust approach,” according to IBM. 

ReaQta is based in the Netherlands and has a headquarters in Singapore. IBM said it expects the deal to close later this year. The financial terms of the deal were not disclosed. “ReaQta’s behavioral-based platform helps stop known and unknown threats in real-time and can be deployed in a hybrid model — on premise or in the cloud as well as air gapped environments,” IBM explained. “Through deep learning done natively on the endpoint the platform constantly improves on defining threat behavior tailored to each business per endpoint, allowing it to block any abnormal behavior. ReaQta’s platform also leverages a unique ‘Nano OS’ that monitors the operating systems from the outside, helping to prevent interference by adversaries.” ReaQta CEO Alberto Pelliccione added that their mission has always been to better equip cybersecurity teams with advanced technology to quickly identify and block new attacks”Joining forces with IBM will enable us to enhance and scale our unique AI capabilities across all types of environments via a proven platform for threat detection and response,” Pelliccione said. ReaQta’s tools will be integrated into the IBM QRadar XDR suite, which was built on IBM’s Cloud Pak for Security. The suite includes tools that deal with Security Information and Event Management (SIEM), Network Detection and Response (NDR), and Security Orchestration Automation and Response (SOAR) and now, thanks to ReaQta, Endpoint Detection and Response (EDR). IBM has worked with a number of other cybersecurity companies and alliances, including the Open Cybersecurity Alliance, to build out the XDR ecosystem. More