Information Technology

A major ransomware operation was prevented from making millions of dollars after cybersecurity researchers discovered a flaw in the ransomware that enabled encrypted files to be recovered without paying a ransom to cyber criminals.

learn more

Cybersecurity researchers at Emsisoft have detailed how they were secretly able to foil the cyber criminals behind BlackMatter ransomware, saving several victims from having to pay the ransom. After keeping what they were doing under wraps to avoid the cyber criminals finding out, researchers have now disclosed how they were undermining BlackMatter by providing decryption keys to victims of their attacks. BlackMatter has been active in its current incarnation since July this year, but has actually been around for a lot longer than that because the consensus among information security analysts is that BlackMatter is a rebranded version of DarkSide ransomware.  DarkSide became notorious earlier this year as the culprits behind the Colonial Pipeline ransomware attack. The incident led to shortages of gas and fuel across the US North Eastern seaboard while the criminals walked away with millions of dollars when Colonial paid the ransom. But the impact of the attack didn’t go unnoticed and shortly after the White House vowed action against those responsible, DarkSide lost control of part of their critical infrastructure and some of their Bitcoin wallets were seized. The group seemed to go dark after that.  However, DarkSide soon re-emerged as BlackMatter and the cyber criminals behind it don’t appear to have been put off by finding themselves in the sights of the US government. They have gone onto launch a string of ransomware attacks against companies in North America. 

Posts by BlackMatter on underground forums offering to buy access to compromised networks in the USA, Canada, the UK, and Australia claimed that BlackMatter wouldn’t go after hospitals or state institutions. But this was untrue, and in addition to critical infrastructure in the form of several agricultural companies, the group has also struck blood testing facilities. SEE: A winning strategy for cybersecurity (ZDNet special report)     “The gang’s claim that attacks on the critical infrastructure and certain other sectors was empty: it attacked the very organisations it said it would not,” Brett Callow, threat analyst at Emsisoft told ZDNet.   “So why did they make the claim in the first place? It may have been an attempt to avoid attracting immediate attention from law enforcement agencies in the aftermath of the Colonial Pipeline incident or, perhaps, they believed that companies would be more inclined to negotiate if they didn’t appear to be thugs who attacked hospitals”. In December last year, Emsisoft researchers noticed a mistake made by the DarkSide operators that allowed the decryption of data encrypted by the Windows version of the ransomware without the need for a ransom to be paid — although the criminals fixed it in January.   However, it turns out that the ransomware group made a similar mistake once again when they rebranded, and researchers uncovered a flaw in the BlackMatter ransomware payload which allowed victims to recover files without paying the ransom. After uncovering the second vulnerability, Emsisoft worked with others to provide as many BlackMatter victims as possible with the decryption key before they paid the ransom, a move that has prevented cyber criminals from pocketing tens of millions of dollars.  Unfortunately, BlackMatter eventually figured out that something was wrong and closed the loophole.  “BlackMatter will likely have suspected something was amiss when their revenue started to dip, and will have become more suspicious the longer it went on. Unfortunately, it’s inevitable that gangs will realise they have a problem in these situations. All we can do is work quickly and quietly to help as many victims as we possibly can while the windows of opportunity exist,” said Callow.  “This effort shows the importance of public-private sector collaboration. Working together, we can put a big dent in the profitability of cybercrime, and that’s a key element in combatting the ransomware problem,” he added. Ransomware remains a major information security issue and the best way to avoid having to react to attack is to not become a victim in the first place. Cybersecurity strategies like applying security patches in a timely manner, ensuring multi-factor authentication is applied across the network, and only providing users with the access they need — for example, by not giving admin privileges to people who don’t need them — can all help prevent ransomware attacks.  As for BlackMatter, it’s likely they’ll carry on — but their mistakes may have damaged their reputation in cyber criminal circles.  “I wouldn’t be at all surprised if the operators were to abandon the BlackMatter name and rebrand. Their reputation will be in the  toilet. Their repeated mistakes have cost affiliates money. Lots of money,” said Callow.
MORE ON CYBERSECURITY More

Intelligence agency GCHQ has signed a deal with Amazon Web Services (AWS) to host classified material and boost the use of artificial intelligence for espionage purposes. Although the procurement of cloud infrastructure from AWS was signed off by GCHQ, it will also be used by sister spy services MI5 and MI6, and the Ministry of Defence during joint operations, according to the Financial Times. 

ZDNet Recommends

The deal had not been made public and was signed earlier this year, according to the report. It is worth £500m to £1bn over the next decade, FT sources said. SEE: These stealthy hackers avoid Windows but target Linux as they look to steal phone dataIn a February opinion piece for the Financial Times, GCHQ director Jeremy Fleming said that the agencies “expect AI to be at the heart of this transformation and we want to be transparent about its use.”So-called “good AI” would allow “analysts to deal with ever increasing volumes and complexity of data, improving the quality and speed of decision-making.”This could include identifying and countering troll farms peddling fake news, as well as tracking networks that traffic people, drugs or weapons, Fleming noted.

AWS has a range of AI-powered tools, including its controversial Rekognition image video analysis platform, speech-to-text/text-to speech, translation and text analysis, and a secret region purpose-built for the US intelligence community. The CIA in November awarded its C2E contract to a panel of providers including Amazon, Google, IBM, Microsoft and Oracle, as FedScoop reported at the time. That contract was previously awarded solely to AWS in 2013. AWS will host GCHQ’s and its sister agencies’ top-secret information. Spooks should find it easier to share information from field locations overseas and use AWS tools like speech recognition and machine translation for faster processing of intercepted recordings. It will also gives spies the tools to run faster searches on each others’ databases.SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifyingCiaran Martin, the former head of the GCHQ’s National Cyber Security Centre, said the deal with AWS was “not about collecting or hoarding more data,” but was to “use existing large amounts of data more effectively”.Selecting a US cloud provider raises some questions about the UK’s digital sovereignty. FT sources said GCHQ initially sought a UK provider but couldn’t find a domestic player with the required scale or capabilities.  More

GCHQ director Sir Jeremy Fleming.
Image: Getty
If you’ve wondered why ransomware has proliferated in recent years, it’s because until recently it has remained unchallenged, according to Sir Jeremy Fleming, director of British signals intelligence agency GCHQ. “We’ve seen twice as many [ransomware] attacks this year as last year in the UK – but the reason it is proliferating is because it works,” Fleming told the US Cipher Brief threat conference.

ZDNet Recommends

“It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested…we’ve got to get our head around what this means and we have up until quite recently left a lot of this playing space to those criminal actors in effect to proliferate and to make a lot of money.” SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying Last month, the UK launched the National Cyber Force (NCF), a group with offensive capabilities that unites personnel from the Ministry of Defence (MoD), GCHQ, the Secret Intelligence Service (MI6), and the Defence Science and Technology Laboratory (DSTL). Despite its cyber-offensive capabilities, referring to the NCF, Fleming insisted that “the UK is not building a cyber warfare centre”.  “There’s real danger, I think, in over-militarising, with due respect to all of my military colleagues on both sides of the pond,” Fleming said. However, he added: “There is a place for western democratic liberal nations…to be able to contest cyberspace, and in the UK we’ve been doing that for decades.

“That’s been part of GCHQ’s mission for decades and we need our policymakers and, in some aspects of the mission, our military leaders to be able to bring cyber capabilities into play.” The way to address ransomware profits is through regulating and controlling cryptocurrencies, Fleming suggested.  “I can see in the policy debate on the US side and I see the policy debate here, and you quite quickly get into the ways in which criminals profit — you quite quickly get into cryptocurrencies and how those are regulated and controlled,” he said. While most countries back the idea of disrupting ransomware operators and the overall business model, some have developed policy that makes an exception for ransomware attacks on critical infrastructure.  SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacks The Netherlands minister of foreign affairs, Ben Knapen, recently outlined how its Defense Cyber Command “can carry out a counter-attack at the end of the day to avert an enemy action or to protect an essential interest of the state”. However, the minister said it normally resorts to diplomatic or legal channels.   At US President Joe Biden’s recent cybersecurity summit with 30 countries, participating nations agreed to cooperate to target the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable. They will also aim to disrupt the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors. Safe havens for ransomware criminals would be addressed, along with continued diplomatic engagement. There’s suspicion in the US that Russia turns a blind eye to ransomware gangs operating in its territory. Following the ransomware attack on Colonial Pipeline last year, Biden said he warned Russian President Vladimir Putin that critical infrastructure should be off limits. More

A new survey suggests the majority of US executives have encountered a cybersecurity incident but this has not translated into the creation of incident response plans.

On Tuesday, Deloitte published the results of a new survey, taking place between June 6 and August 24, 2021, which includes the responses of 577 C-suite executives worldwide (159 in the US) on today’s cybersecurity threats.  The research — including insight from those in CEO, CISO, and other leadership roles — suggests that nearly all US executives have come across at least one cybersecurity event over the past year, 98%, in comparison to 84% internationally.  The COVID-19 pandemic has led to an increase in cybersecurity incidents and it appears that the event rate may disproportionately have impacted organizations in the United States.  According to Deloitte’s research, 86% of US executives have noticed an uptick in attack attempts, a higher climb than that experienced by 63% of leadership worldwide.  Despite the ongoing risk of cyberattacks, US enterprise firms are not up to par when it comes to implementing defense and incident response initiatives. In total, 14% of US executives have no such plans, in comparison to 6% of non-US executives.  Problems including data management issues, infrastructure complexities, failures to keep up with technological advances, and missteps in prioritizing cybersecurity are all cited as challenges in coming up with workable cybersecurity plans. 

Over 2021, incidents including the Microsoft Exchange Server hacking wave, the ransomware incidents at JBS and Colonial Pipeline, and the DDoS attack against KT have highlighted the severe business disruption caused by successful attacks.  Of interest is that rather than malware, phishing, or data breaches being a top concern, 27% of executives said they were most worried about the actions of “well-meaning” employees who may inadvertently create avenues for attackers to exploit.  However, only 41% of organizations say they have implemented solutions to track and monitor the risk factors associated with staff access and behavior.  The research suggests that the common consequences experienced by today’s firms after an incident include disruption (28%), a drop in share value (24%), intellectual property theft (22%), and damage to reputation that prompts a loss in customer trust (22%).  In addition, in 23% of cases, a cyberattack can lead to a change in leadership roles. “No CISO or CSO ever wants to tell organizational stakeholders that efforts to manage cyber risk aren’t keeping up with the speed of digital transformations made, or bad actors’ improving tactics,” commented Deborah Golden, Deloitte Risk & Financial Advisory Cyber and Strategic Risk leader and principal. “Aggressive organizational digital transformations and continued remote work for some seem to be shining more of a spotlight on the human side of cyber events — both the cyber talent gap and the potential risk well-meaning employees can pose. We see leading organizations turning to advanced technologies to help bridge those gaps.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Another third-party security breach has been reported in Singapore, this time, affecting patients of Fullerton Health and compromising personal data that included bank account details in “a few cases”. The affected vendor Agape Connecting People, which platform facilitates appointment booking, first detected the breach on October 19 and appeared to affect only Fullerton Health.  The healthcare services provider said none of its own IT systems, network, and databases were impacted by the breach. It filed reports with both the police and Personal Data Protection Commission, which oversees Singapore’s Personal Data Protection Act.  Agape first detected the intrusion on October 19 and “acted immediately” to isolate and suspend use of the system, the vendor said in a statement Monday.  “None of our core infrastructure has been compromised,” it said, adding that the breach “appears” to be limited to Fullerton Health. However, it noted that it still was in the process of confirming that no other clients were affected. 

Describing itself as a social enterprise, Agape operates a contact centre to provide employment for the disadvantage, including inmates, physically disabled, ex-offenders, and single mothers. It has a capacity of more than 250 seats and aims to support 1,000 disadvantaged individuals by 2022. Agape said it was working with cybersecurity experts to implement “mitigating action” to minimise further impact from the breach.  Fullerton Health said on October 21 it was alerted “a few days ago” that its customer personal data could have been exposed and initiated an investigation. It found that an unauthorised party had gained access to a server used by Agape, compromising personal data of patients with whom Agape had assisted in making appointments.

Such details included names, identification numbers, and contact details, as well as bank account details in “a few cases” and “certain limited health-related information”. No credit card information or passwords were leaked, Fullerton Health said. The company services corporate clients and their employees, one of whom at least had been confirmed to have their personal data potentially exposed. Fullerton Health said it still was working to ascertain the number and identity of individuals affected by the breach. Digital forensic and cybersecurity professionals had been roped in to help with its investigations, the healthcare provider said, adding that they also were trying to determine the root cause and full extent of the breach. “We are conducting a thorough review of our processes and protocols relating to data security and the use of third-party service providers to further strengthen our information security,” Fullerton Health said. It said data relating to COVID-19 vaccinations carried out at its vaccination centres were not compromised, since the information had been stored separately on a system not shared with Agape.  Singapore has seen a spate of supply chain attacks this past year that compromised personal data of, amongst others, 580,000 Singapore Airlines (SIA) frequent flyers, 129,000 Singtel customers, and 30,000 individuals in an incident involving job-matching organisation e2i.  The Singapore Computer Emergency Response Team (SingCERT) last year handled 9,080 cases, up from 8,491 the year before and 4,977 in 2018, with marked increases in ransomware, online scams, ad COVID-19 phishing activities, revealed a July 2021 report released by Cyber Security Agency of Singapore (CSA). The number of reported ransomware attacks saw a significant spike of 154% in 2020, with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses (SMBs) in various sectors including manufacturing, retail, and healthcare.  RELATED COVERAGE More

Schools in the United Kingdom have paused the rollout of facial recognition scans in cafeterias following backlash from data watchdogs and privacy advocates.

Last week, the Information Commissioner’s Office (ICO), the UK’s data and privacy regulator, intervened after nine schools in North Ayrshire, Scotland, began scanning student faces to take payment for school lunches. At the time, more schools were expected to follow suit. The scheme was defended as a cashless, quick, and contactless means of payment in light of COVID-19.  However, the ICO and privacy outfits were quick to note that in a time where law enforcement is roundly criticized for using the same technology on the streets, introducing it in schools may be unnecessary.  Big Brother Watch director Silkie Carlo said: “It’s normalizing biometric identity checks for something that is mundane. You don’t need to resort to airport-style [technology] for children getting their lunch.” The ICO told The Guardian that the organization would contact North Ayrshire council to talk about data protection laws concerning minors and to see if a “less intrusive” payment option was available.  This could include contactless payment on cards or fingerprint readers, the former of which is widely used in the United Kingdom. 

As reported by the BBC, the local council has “temporarily paused” the program, while one of the schools has completely closed down the scheme.  “Whilst we are confident the new facial recognition system is operating as planned, we felt it prudent to revert to the previous PIN (personal identification number) system while we consider the inquiries received,” the North Ayrshire Council tweeted.  One of the companies named as involved in the rollout, CRB Cunninghams, describes the technology as “a contactless biometric method that enhances the speed of service and retains the security of fingerprints.” In other facial recognition news, several weeks ago, the European Parliament voted in favor of a resolution barring law enforcement in the region from using facial recognition technologies. While not legally binding, the parliamentary body is currently working on rules to rein in the use of facial recognition and artificial intelligence (AI) across both the public and private sectors.  ZDNet has reached out to CRB Cunninghams for comment.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla’s Firefox browser team has cracked down on malicious add-ons, blocking software with a 455,000 user base. 

On October 25, the development team said that in early June, Firefox discovered add-ons that were misusing the browser’s proxy API, used by software to manage how the browser connects to the internet. Add-ons are software modules that can be installed to customize a user’s browsing experience and may include anti-tracking software, ad blockers, themes, and utilities.  However, they may also become a conduit for malicious purposes, such as data theft or eavesdropping, a challenge faced by all browser developers.  According to Mozilla, the add-ons removed in the sweep tampered with the browser’s update functionality; in particular, users were unable to download updates, access updated blocklists, or update remotely configured Firefox content.  The add-ons have been blocked, and approval was temporarily paused for new add-on developer submissions when the proxy API was in use to create and deploy a fix.  Firefox, starting with v.91.1, now also includes changes to harden the update process. A fallback mechanism to direct connections for update purposes and other “important requests” made by the browser has been implemented, allowing downloads to take place whether or not a proxy configuration causes connection issues. 

The system add-on, “Proxy Failover,” has been deployed to Firefox users.  Mozilla released Firefox version 93 at the beginning of October. The latest build includes a new tab unloading feature, the ability to block HTTP downloads from HTTPS web pages, and the end of default support for 3DES encryption.  Mozilla has urged users to make sure their Firefox version is up to date. Developers making use of the proxy API are being asked to start including the code “browser_specific_settings “: {   “gecko”: {     “strict_min_version”: “91.1”   }  } in their add-ons to expedite future reviews.  “We take user security very seriously at Mozilla,” the team says. “Our add-on submission process includes automated and manual reviews that we continue to evolve and improve in order to protect Firefox users.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
South Korean telco KT has said its network outage on Monday was caused by an internal router issue, backtracking on its initial claim that the incident was caused by a large-scale distributed denial-of-service (DDoS) attack.In a statement, the telco said it initially suspected a DDoS attack due to traffic overload but after it scrutinised the matter it found that the cause was a routing error.KT added it would cooperate with the government to investigate the precise cause.The telco is yet to announce what caused the routing error in the first place and how this led to the outage, which is expected to be announced at a later date.KT’s nationwide network suffered an outage on Monday for around 40 minutes at around 11am local time. The telco’s subscribers were unable to use their credit cards, trade stocks, or access apps, while some large commercial websites were also shut down during that period.South Korean police, which is also investigating the matter, said it could not find any circumstances to indicate that there was an external cyber attack in its initial investigations.

Meanwhile, the Ministry of Science and ICT is still conducting its own investigations on the matter. The ministry has ordered KT to investigate the extent of the damage caused to customers by the outage.RELATED COVERAGE More