Information Technology

The Australian government has commenced work to reform the country’s electronic surveillance laws that have been labelled as overly complex, inconsistent, and incompatible with the current technology landscape. The federal government committed to reforming these laws earlier this year after a review into Australia’s intelligence community found comprehensive legislative changes were required, specifically in repealing existing powers and combining them to avoid duplication, contradictory definitions, and any further ad hoc amendments to existing laws. “In short, we conclude that the legislative framework governing electronic surveillance in Australia is no longer fit for purpose,” the review said. The review said that problems with the framework have accumulated after 40 years of continued amendments. The laws in question enable agencies to use electronic or technical means, that would normally be unlawful, to covertly listen to a person’s conversations, access a person’s electronic data, observe certain aspects of a person’s behaviour, and track a person’s movements for the purposes of preventing serious crimes and security threats. Read more: Australia’s tangle of electronic surveillance laws needs unravelling The federal government’s initial work, coming in the form of a discussion paper [PDF], has set out the guiding principles for how it will approach making these electronic surveillance law reforms.

Among these principles is that the reforms will look to develop a new single Act that better protects information and data, and ensures that law enforcement agencies have the appropriate powers to investigate serious crimes and security threats. Currently, there are three different sets of laws focusing on electronic surveillance, with the Surveillance Devices Act  (SD Act) being enacted 15 years ago, the ASIO Act and Telecommunications (Interception and Access) Act being 40 years old, and the foundations of the surveillance framework dating back to decisions made in 1949. In the discussion paper, Home Affairs said it envisions the new Act will “harmonise the existing warrant framework” to provide more consistent safeguards on the authorisation and use of electronic surveillance powers. Under the current framework, some powers such as accessing stored communications need separate warrants while other powers such as accessing telecommunications data can be authorised internally. “Despite the overlap between powers and their similar levels of intrusiveness, they are not subject to a consistent approach in terms of thresholds, purposes, safeguards, or accountability,” Home Affairs said. According to the discussion paper, the reforms will also look to modernise and streamline the laws by updating key concepts and clearly identifying the agencies that can seek access to this information, while balancing that with ensuring the laws are clear, transparent, and usable. The concepts and definitions that government will reconsider range from the definition of communications, to the distinction between content and non-content information, to the kinds of providers that hold relevant information and data, and the kinds of information that may be obtained through surveillance and tracking devices. It noted that the current definition of communications, which primarily focuses on conversations and messages, does not appropriately represent modern-day communications. “There is now a wider range of information and data passing over the telecommunications network, such as machine-to-machine signals between servers, routers, and modems that enable the network to route communications to their intended destination,” Home Affairs wrote in the discussion paper. “Whether something is a communication therefore has significant consequences for whether that information is protected. As a result, there may be gaps in the limits, controls, and safeguards that apply to this information, even where it is passing over the telecommunications network.” The discussion paper also confirmed that government would follow the review’s recommendation to not add more judicial oversight to these powers as part of the reforms. Instead, Home Affairs outlined that it would like for only the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman to continue overseeing the use of electronic surveillance by law enforcement agencies. As part of the discussion paper’s release, Home Affairs will also be seeking consultation about the reforms. It will be accepting submissions to the discussion paper until mid-February next year.  Last week, the Commonwealth Ombudsman published its report [PDF] to Home Affairs on the extent to which law enforcement agencies have complied with the SD Act. In the report, the Ombudsman found that South Australian Police had no process for destroying records as required by the SD Act. The state police agency said it would prioritise implementing a destruction regime.The Ombudsman also found the Australian Federal Police (AFP) failed to destroy protected information for over a month after they were authorised for destruction four times. There was also one instance where the AFP took five months to destroy a piece of protected information. The AFP also disclosed two instances where it collected data outside of a warrant provided under the SD Act. One of those instances entailed the AFP collecting 12 files from a device despite the warrant for collecting information from that device having already expired.The Commonwealth Ombudsman also revealed it found three instances of the Australian Criminal Intelligence Commission (ACIC) not destroying protected information as soon as practicable as required by the Act, eight instances where the agency did not destroy protected information within five years, and several instances where the ACIC certified protected information for retention after it had already been certified for destruction.Related Coverage More

The FBI has released a new notice about the Cuba ransomware, explaining that the group has attacked “49 entities in five critical infrastructure sectors” and made at least $43.9 million in ransom payments.In a notice sent out on Friday, the FBI said the group is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors while using the Hancitor malware to gain entry to Windows systems. “Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the notice explained, noting that the encrypted files have the “.cuba” extension. “Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.” The eye-popping ransom payments were dwarfed by the amount of money the group has demanded from victims, which the FBI pegged at $74 million. Once a victim is compromised, the ransomware installs and executes a CobaltStrike beacon while two executable files are downloaded. The two files allow attackers to acquire passwords and “write to the compromised system’s temporary (TMP) file.””Once the TMP file is uploaded, the ‘krots.exe’ file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com,” the FBI explained. 

“Further, Cuba ransomware actors use MimiKatz malware to steal credentials, and then use RDP to log into the compromised network host with a specific user account. Once an RDP connection is complete, the Cuba ransomware actors use the CobaltStrike server to communicate with the compromised user account. One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the malicious URL kurvalarva.com.”The FBI included other attack information as well as a sample ransom note and email the attackers typically include. Ransomware experts were somewhat surprised by the amount of money the group made considering their level of activity relative to other more prominent ransomware groups. Emsisoft threat analyst Brett Callow said the report illustrated how lucrative the ransomware industry is considering the Cuba ransomware group is not in their top ten list in terms of activity. His data shows 105 Cuba ransomware submissions this year compared to 653 for the Conti ransomware group. “This really highlights how much money there is to be made from ransomware. Cuba is a relatively small player and if they made $49 million, other outfits will have made considerably more,” Callow told ZDNet. “And this, of course, is why ransomware is such a difficult problem to deal with. The massive rewards mean people consider the risks worthwhile.”Since January, the group has operated a leak site, becoming one of the many ransomware groups that threatens to release stolen data if victims do not pay. The McAfee Advanced Threat Research Team released a detailed report on the group in April, noting many of the same things the FBI found in their analysis. McAfee researchers also found that while the group had been around for years, it only recently began extorting victims with its leak site. The group typically targets companies in the US, South America and Europe. McAfee said that the group has sold stolen data in some instances. “Cuba ransomware is an older ransomware that has been active for the past few years. The actors behind it recently switched to leaking the stolen data to increase its impact and revenue, much like we have seen recently with other major ransomware campaigns,” the McAfee report explained.”In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information in order to orchestrate the attack and have the greatest impact. The attackers operate using a set of PowerShell scripts that enables them to move laterally. The ransom note mentions that the data was exfiltrated before being encrypted.”The group made waves in February when they attacked payment processor Automatic Funds Transfer Services, forcing multiple US states to send out breach notification letters. First reported by Bleeping Computer, the attack involved the theft of “financial documents, correspondence with bank employees, account movements, balance sheets and tax documents.” The incident also caused significant damage to the company’s services for weeks. Multiple states were concerned because they used the company for a variety of services that gave them access to people’s names, addresses, phone numbers, license plate numbers, VIN numbers, credit card information, paper checks and other billing details, according to Bleeping Computer. The state of California and multiple cities in Washington state were affected and sent out breach notification letters.Allan Liska, a ransomware expert with Recorded Future, said the FBI report also showed the observability problem with the ransomware landscape. “There were 28 victims published to the Cuba extortion site, but the FBI knew about at least 49 victims. We only knew about 1/2 of their victims,” Liska said.”Despite the small number of victims, the FBI claiming they made at least $43.9 million shows that ransomware continues to be extremely profitable for these threat actors. Their targets tended to be medium sized organizations and were spread around the world. I think it shows there is a lot we don’t know.” More

More than 30,000 US healthcare workers’ personal information was recently exposed due to a non-password protected database, according to security researcher Jeremiah Fowler and a team of ethical hackers with Website Planet. Fowler discovered a database run by Gale Healthcare Solutions with 170,239 exposed records that included names, emails, home addresses, photos and in some cases Social Security Numbers as well as tax documents. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Gale Healthcare Solutions is a Tampa, Florida tech company that connects healthcare workers with healthcare organizations looking to hire people for certain shifts. The company did not respond to repeated requests for comment. Fowler said the information also included forms about certain incidents, disciplines and terminations. “We only reviewed a limited sampling of documents and did not review each and every file. The files were hosted on an AWS cloud server and many of the registration documents were open and publicly accessible,” Fowler told ZDNet. “The images I saw were usually of the healthcare worker’s face or ID badge, but the url contained their full name, SSN and a number consistent with an SSN. Here is an example of how the link appeared: .com/gale-registration-documents/documents/last_name_first_name-LPN/-SSN-*********.jpeg. I called several individuals and validated only that these were real people and their information matched that in the files.” Fowler explained that he didn’t feel it was appropriate to ask victims for their SSN or ask them to validate the information due to the highly sensitive nature of SSNs. 

“These people have a hard enough job without a random stranger calling them and reading out their SSN to them. If the names, phone numbers, and locations of these individuals matched those who I called and validated, it is logical to assume that the number indicated as SSN would most likely be real,” he added. “I can only speculate that someone at Gale likely assumed this would make content management easier if the link had all needed information and could be easily indexed in a readable format and not a more secure unidentifiable internal code ID structure. They also overlooked that these URL paths and file names were not secure or private. Even if the images did not contain pictures of SSN cards an exposure in numerical text of the image name is just as much of a privacy risk and identity threat.”Fowler and other ethical hackers with Website Planet search for serious data leaks by investigating open, unprotected databases that it finds randomly, never targeting specific companies.

The 170,239 records covered medical workers, nurses, and caregivers. In a report, Fowler explained that internal email addresses, usernames, and administrative passwords were stored in plain text.Fowler and his team contacted Gale and public access to the databases was closed the same day. The company never responded to their questions. During his investigation of the database, Fowler found that multiple administrative accounts used weak passwords, noting that in a sampling of 10,000 records, “Password” appeared 2,921 times.”We could also see multiple internal Admin accounts that used very similar and easy passwords. This is the first time I have ever seen full names and a number called ‘SSN’ in the actual file name. In theory the file wouldn’t have to be opened to expose sensitive data because the file name alone contained what appeared to be PII (personally identifiable information),” Fowler added. “The Covid 19 pandemic has hit healthcare workers hard with long hours and many are physically and emotionally exhausted. Hospitals all over the United States are suffering from a shortage of healthcare workers. Any service that allows hospitals to fill their shifts is extremely important and valuable to sick patients. It is unfortunate that this incident may have exposed the data of frontline workers during an already difficult time. Healthcare workers’ private information publicly available also poses a risk of unwanted harassment, intimidation, or cyber stalking.” Fowler said it was unclear how long the database had been exposed and who else may have accessed it. Gale did not respond to requests for comment about whether they have notified any healthcare workers who may have had their sensitive information exposed. He said the company is required to notify victims as part of the Florida Information Protection Act of 2014.  More

As crime increases in Brazil, a new bill is proposing the suspension of instant payments system Pix in the state of São Paulo.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

If the bill put forward by the São Paulo Legislative Assembly is signed into law, it will prevent financial services providers and payment institutions from processing payments through Pix until the Brazilian Central Bank introduces mechanisms to ensure consumer safety. The Assembly can vote to revoke the law if the Central Bank presents a technical security report that demonstrates what measures have been implemented. The objective is to prevent situations like the so-called lightning kidnappings, whereby consumers are forced to make instant transfers to criminals while being held ransom. Introduced in November 2020 as part of a broader modernisation of the Brazilian financial services environment — which also includes ongoing initiatives, such as Open Banking — Pix has more than 104 million registered users and has processed more than 1.6 billion transactions since it launched. Around 75% of the transfers carried out via Pix in its first year of operation took place between individuals. According to the Central Bank, the system enabled financial inclusion at a significant scale; around 40 million Brazilians who had never made a money transfer before did so through the instant payments system. Transfers are made through a Pix “key,” which acts as a sort of nickname associated with a user’s full account details, aimed to simplify the payment process. A Pix key could be a user’s mobile phone number, tax registration number, email address, a randomly generated alphanumeric string, or a QR code. The convenience introduced by the instant payments system created loopholes for criminal action, however, prompting the Central Bank to impose limits on the value of transactions made between 8pm and 6am and on weekends. Other measures included a precautionary block on the receipt of transfers for up to 72 hours in cases of suspected fraud, as well as a special return mechanism scam victims can use.

The author of the bill that aims to suspend Pix in the state of São Paulo, congressman Campos Machado, notes that banks did not anticipate that “the enormous ease and convenience [Pix offers] to users would also bring dexterity to criminals, who have discovered the comfort and speed of using it to their advantage.”The debate over instant payments in the context of increasing crime follows the first major data protection incident involving Pix that occurred in October. More than 395,000 Pix keys under the custody and responsibility of the Bank of the State of Sergipe (Banese) — likely obtained through social engineering or phishing techniques — were leaked. More

There’s been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks. Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there’s been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021. Crooks are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more. With this access, cyber criminals can access a company’s networks and attempt to gain access to usernames and passwords or administrator rights which allow them to gain further control over the network.  On the underground forums being analysed, the number of offers to sell access to corporate networks went up from 362 to 1,099, a rise of three times in just a year and the report warns that increase is “one of the clearest trends on underground forums”. Some of the most common industries to which access is being offered to include manufacturing, education, financial services and healthcare.  The cost of access varies greatly and can sometimes be offered for a few thousand dollars – something a ransomware crew could make back many times over from a successful attack. But there’s a direct correlation between access value and the victim’s company revenue – the higher the revenue, the higher the price.  

SEE: A winning strategy for cybersecurity (ZDNet special report)  One of the key reasons there’s been an increase in sellers is because there’s the demand which is being driven by the growth in ransomware attacks. Ransomware groups need access to networks and buying access is easier and less time consuming than compromising networks themselves. “Ransomware operators are the main “customers” of initial access brokers’ (IAB) services,” Dmitry Shestakov, head of cybercrime research at Group-IB told ZDNet. “This unholy alliance of IABs and ransomware operators as part of ransomware-as-as-a-service affiliate programs has led to the rise of the ransomware empire,” he added. Another reason for the growth of initial access markets is because there is a relatively low skills threshold for engaging in this sort of cyber crime. These less sophisticated cyber criminals can use phishing attacks or buy off-the-shelf malware to steal information.The report also suggests that gaining this initial access has got easier due to the rise in remote working as a result of the  pandemic, which has resulted in many organisations unintentionally using insecure or misconfigured applications which cyber criminals can easily exploit. And as long as there are insecure networks which can be accessed and a demand from other cyber criminals to buy access to those networks, the rise of the access broker market looks set to continue.”We expect the number of brokers and initial access offers to grow. As the supply increases to meet the demand, we expect the price of initial access to corporate networks to decrease,” said Shestakov. “Ransomware will remain the main way to monetize access to corporate networks because it provides the highest possible return on investment for IABs,” he added. There are measures which organisations can take to help avoid cyber criminals breaching the network and gaining access to credentials.  They include installing software updates and security patches on a regular and timely basis to protect against known vulnerabilities, encouraging the use of strong passwords which are difficult to breach in brute force attacks and applying multi-factor authentication to accounts so that if credentials are compromised, there’s limited opportunities for attackers to exploit them. MORE ON CYBERSECURITY More

The call comes. And your instinct is to react instantly.
Screenshot by ZDNet
We all think we’re invulnerable. Until life events — or callous cyberscamming sorts — prove otherwise.

One momentary lapse of judgment, one careless moment of instant reaction, and we can descend into a hole from which it’s hard to emerge.A particularly cruel scam involves preying on those — the elderly or those not well versed with officialdom, for example — who are most willing to believe an official-sounding phone call is real.The caller may claim — as did one I received the other day — that they’re from the “Department of Taxes.” They may claim that a member of your family has been arrested and needs to have their bail paid. And, as panic may set in, the request is simple: you can make this all go away with some gift cards.See also: Shopping online? FBI says beware of these holiday scams and phishing threats.That may sound completely scammish to most, but not to all. Yet, how can you get through to the most vulnerable?Cybersecurity platform Scam Spotter, a non-profit collaboration between the Cybercrime Support Network and Google, is trying something different. Instead of dire warnings that may not get through in a relatively dire world, it’s gone for the action movie treatment.

Its new ad shows us a grandmother receiving a call late at night.”Your granddaughter has been incarcerated in a foreign jail,” begins the robotic voice. “She has provided your number as a family representative to pay her bail. The only form of payment we accept is gift cards.”Because that’s the currency of most foreign countries. Everyone knows that.In this case, however, instead of presenting grandma as a victim, Scam Spotter turns her into an action hero.

[embedded content]

She’s not going to pay with gift cards out of fear. She has quite another gift in mind.Fortunately, she’s adept at driving very fast, leaping very high, piloting a helicopter, skydiving with accuracy, and disabling horrible little men.She rescues her teenage grandaughter with consummate aplomb, as this message appears: “If it sounds unbelievable, it probably is.”A lesson for life, not merely for scams.See also: Google disrupts massive phishing and malware campaign.Scam Spotter’s website offers simple rules to go by when you receive one of these calls: Don’t fall for the apparent urgency of the situation. Double-check the details. (There really is no Department of Taxes.) And never, ever send anything to these people.”No reputable person or agency will ever demand payment on the spot,” says Scam Spotter.The scammers keep doing it because people keep falling for it. Scam Spotter is, at least, trying a different way to attack an issue that causes so much needless suffering.One can only hope it works. Or begins to work. Or has at least a tiny effect. More

Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs.  The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  

ZDNet Recommends

Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria. SEE: A winning strategy for cybersecurity (ZDNet special report)  Researchers believe that victims are tricked into downloading the malware via malvertising – malicious online adverts – that trick them into downloading fake installers of popular software onto their systems. The users are likely to be looking for the legitimate versions of the software, but get directed to the malicious versions by advertising.  Some of the software that users are tricked into downloading includes fake versions of messaging apps such as Viber and WeChat, as well as fake installers for popular video games like Battlefield.   The installer doesn’t install the advertised software but instead installs three forms of malware – a password stealer, a backdoor and a malicious browser extension, which enables keylogging and taking screenshots of what the infected user is looking at. 

The password stealer being distributed in the attacks is known as Redline, a relatively common malware that steals all the usernames and passwords it finds on the infected system. Magnat previously distributed a different password stealer, Azorult. The switch to Redline likely came because Azorult, like many other forms of malware, stopped working correctly after the release of Chrome 80 in February 2020.  While the password stealers are both commodity off-the-shelf malware, the previously undocumented backdoor installer – which researchers have called MagnatBackdoor – appears to be a more bespoke form of malware that has been distributed since 2019, although there are times where distribution has stopped for months.  MagnatBackdoor configures the infected Windows system to enable stealthy remote desktop protocol (RDP) access, as well as adding a new user and scheduling the system to ping a command and control server run by the attackers at regular intervals. The backdoor allows attackers to secretly gain remote access to the PC when required.  The third payload is a downloader for a malicious Google Chrome extension, which researchers have named MagnatExtension. The extension is delivered by the attackers and doesn’t come from the Chrome Extension Store. SEE: Hackers are turning to this simple technique to install their malware on PCs This extension contains various means of stealing data directly from the web browser, including the ability to take screenshots, steal cookies, steal information entered in forms, as well as a keylogger, which registers anything the user types in the browser. All of this information is then sent back to the attackers.   Researchers have likened the capabilities of the extension to a banking trojan. They suggest the ultimate aim of the malware is to obtain user credentials, either for sale on the dark web or for further exploitation by the attackers. The cyber criminals behind MagnatBackdoor and MagnatExtension have spent years developing and updating the malware and that’s likely to continue.  “These two families have been subject to constant development and improvement by their authors – this is likely not the last we hear of them,” said Tiago Pereira, a security researcher at Cisco Talos.  “We believe these campaigns use malvertising as a means to reach users that are interested in keywords related to software and present them links to download popular software. This type of threat can be very effective and requires that several layers of security controls are in place, such as endpoint protection, network filtering and security awareness sessions,” he added. 
MORE ON CYBERSECURITY More

Image: Nikolas Kokovlis/NurPhoto via Getty Images
Twitter has removed another 3,465 state-backed accounts as part of efforts to limit the influence of information manipulation campaigns on the web. The social media platform explained in a blog post that the account sets that have been removed include eight “distinct operations” that can be attributed to China, Mexico, Russia, Tanzania, Uganda, and Venezuela. “Every account and piece of content associated with these operations has been permanently removed from the service,” Twitter said. Listing out the operations, the majority of accounts removed in this round of purges were linked to China, with over 2,000 of them amplifying Chinese Communist Party narratives related to the treatment of the Uyghur population in Xinjiang. Another network of around 100 accounts were connected to “Changyu Culture”, a private company backed by the Xinjiang regional government. Rounding out the top three governments that had their linked accounts removed was the Ugandan government, which had 418 of its linked accounts that used inauthentic activity to support having the Ugandan presidential incumbent Museveni removed, while 277 Venezuelan accounts amplifying accounts and content that supported the presiding government were removed. In addition to banning these accounts and the content shared by them, Twitter has shared relevant data from this disclosure with the Australian Strategic Policy Institute, Cazadores de Fake News, and the Stanford Internet Observatory.

The disclosure comes during a week where Twitter’s founder Jack Dorsey resigned from the company’s CEO post. Twitter on Wednesday also announced the expansion of its private information policy to include the sharing of private media, such as photos and videos, without permission from the individuals that are depicted in them. Related Coverage More