Information Technology

Microsoft has warned that Nobelium, the hacking group behind the SolarWinds fiasco, has targeted at least 140 resellers and technology service providers in global IT supply chains.

On October 24, Tom Burt, Microsoft Corporate Vice President of Customer Security & Trust said in an advisory that the advanced persistent threat (APT) group, of Russian origin, has now pivoted to software and cloud service resellers in order to “piggyback on any direct access that resellers may have to their customers’ IT systems.”The Redmond giant says that Nobelium’s latest campaign was spotted in May this year and no less than 140 companies have been targeted, with 14 confirmed cases of compromise.  Nobelium was responsible for the SolarWinds breach, disclosed by Microsoft and FireEye (now known as Mandiant) in December 2020. SolarWinds systems were breached and an update for Orion software was poisoned and later deployed to approximately 18,000 customers.  The APT then selected a small number of high-profile targets to exploit, including Microsoft, FireEye, the Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Agency (CISA), and the US Treasury. After the malicious update was pushed through SolarWind’s legitimate channels, malware was planted on these systems, including the Sunburst/Solorigate backdoor.

Microsoft estimates that the feat may have taken the efforts of up to 1,000 engineers. However, the latest wave of attacks does not appear to make use of any specific vulnerabilities or security flaws; instead, the group is relying on spray-and-pray credential stuffing, phishing, API abuse, and token theft in attempts to obtain account credentials and privileged access to victims’ systems.   The new campaign is part of the Russian threat actors’ wider activities. Between July 1 and October 19, Microsoft has warned 609 customers of 22,868 hacking attempts, although the company notes that success is in the “low single digits.” Prior to July 1, Microsoft alerted customers to overall nation-state hacker attack attempts a total of 20,500 times, including a past phishing campaign launched by Nobelium that impersonated USAID. “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and [to] establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Microsoft commented. “Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful.” Microsoft has informed all impacted vendors and has also released technical guidance outlining how Nobelium attempts to move laterally across networks to reach downstream customers.  In a statement, Mandiant SVP and CTO, Charles Carmakal said the firm has investigated multiple cases of suspected Russian cyberattacks, of which supply chain relationships between technology providers and customers have been exploited.  “While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government,” Carmakal commented. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

UK supermarket giant Tesco has restored access to its website and app after an outage struck the service on Saturday, preventing customers from ordering or cancelling deliveries until Sunday evening.In a statement to The Guardian, Tesco said that “an attempt was made to interfere with our systems, which caused problems with the search function on the site.”

ZDNet Recommends

The retailer, whose 1.3 million online orders per week account for nearly 15% of its UK sales, said there was no reason to believe the attempted interference impacted customer data. SEE: These stealthy hackers avoid Windows but target Linux as they look to steal phone dataTesco confirmed on Sunday evening that its website and app were now restored, but that it was using a virtual waiting room to handle a backlog in orders.  “Our groceries website and app are back up and running. To help us manage the high volume we’re temporarily using a virtual waiting room. We’re really sorry for any inconvenience and thank you for your patience,” Tesco said on Twitter. Tesco Bank was fined £16.4m by the UK’s Financial Conduct Authority (FCA) over a 2016 incident in which cyber attackers stole £2.26m from 9,000 customers. The FCA found multiple flaws in the design of its debit card system. For example, Tesco Bank inadvertently issued debit cards with sequential primary account numbers (PANs). The company was also criticised for its slow response to the fraudulent transactions. 

Tesco grocery customers have complained about its handling of orders and cancellations during the website outage. Some customers said they were told on Saturday to cancel their orders, but subsequently were informed Tesco was unable to access or change any orders. Other customers reported on social media they were trying to beat the 11:45pm cut-off time to cancel orders after placing orders with rival supermarkets.  

Yesterday you said to send a DM to cancel my order due today. Today I get a reply to say its not possible. I understand you still have IT issues but much as I love Gin I don’t need 2 bottles & some crisps this evening, when @asda saved the day with actual food this morning! pic.twitter.com/53Lg7bijGW— Sara Willman (@myflowerpatch) October 24, 2021

In the US, the FBI recently warned that the food and agriculture sector was increasingly the focus of ransomware attacks that threatened to disrupt the food supply chain. It followed an attack on global meatpacking business JBS, which paid the attackers $11 million to restore access to encrypted data.   Swedish grocery chain Coop was unable to take card payments at its stores for three days earlier this year after ransomware attackers targeted managed IT service providers via a tainted software update to Kaseya’s products.Tesco last year reissued 600,000 Clubcard cards after discovering a security issue that allowed attackers to use credentials from other platforms on its own websites to redeem vouchers. An increasingly common attack is known as password spraying, where lists of commonly used passwords are used to gain access to other unrelated accounts.  More

South Korea telco KT said on Monday that the temporary nationwide shutdown of its network earlier today was caused by a large-scale distributed denial-of-service (DDoS) attack. Customers who use the telco’s network were unable to access the internet for around 40 minutes at around 11am on Monday. Users were unable to use credit cards, trade stocks, or access online apps during that time period. Some large commercial websites were also shut down during the outage. General access to the internet has since been restored for KT users in most areas of the country.  A KT spokesperson said the telco’s network was shut down due to a large-scale DDoS attack. They said that, during the outage, the company’s crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack, the KT spokesperson added. Federal police and the Ministry of Science and ICT said they were also looking into the matter in collaboration with KT. The ministry did not confirm that the network failure was caused by a DDoS attack, but it said the other major telcos SK Telecom and LG Uplus were not affected.

Despite not being victims of the DDoS attack, users of SK Telecom and LG Uplus’ services voiced complaints on social media about these telcos having network failures. Spokespeople for these telcos said the network failures were due to a sudden surge of traffic from KT users shifting onto their services due to KT’s internet outage. Both SK Telecom and LG Uplus representatives said they would be monitoring the situation closely. Related Coverage More

Image: ACT Policing
The Australian Federal Police is conducting an internal review to implement a new cyber offensive arm, AFP commissioner Reece Kershaw said at Senate Estimates on Monday morning. “At the moment, we’re actually going through an internal review of how we can be more aggressive in cyber, and it may mean a mini restructure internally for us to really have what we would call a cyber offensive operation of the AFP, which would actually conduct disruption operations on these individuals,” he said Kershaw said this process has included talking with the Five Eyes alliance about the growth of cyberthreats. Kershaw is currently the chair of Five Eyes’ law enforcement group. Throughout his testimony at Senate Estimates, Kershaw explained that the powers given to the AFP through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which passed earlier this year, would allow its cyber offensive capabilities to increase across various fronts, from countering child abuse, to spam, to terrorism. “So [spam is] something we’re looking forward to using those new powers to, you know, it is my personal pet hate. I get multiple ones a day,” Kershaw said. Through the new laws, the AFP and the Australian Criminal Intelligence Commission (ACIC) will gain the ability to apply for three new warrants to deal with online crime. The first of the warrants is a data disruption one, which gives cops the ability to “disrupt data” by modifying, copying, adding, or deleting it. The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices or networks that are used, or likely to be used, by those subject to the warrant. The last warrant is an account takeover warrant that will allow the agencies to take control of an online account for the purposes of gathering information for an investigation.

“This is the next frontier of crime, and the AFP and our partners will work with governments and global law enforcement networks to ensure the long arm of the AFP reaches criminals no matter where they are in the world,” Kershaw said in his opening statement at Senate Estimates. “Our investigators are already strategising how they will use the new powers in active investigations to identify, target, and disrupt offenders — including those relating to terrorism, large drug importations, and distribution of child abuse material.” The Attorney-General’s department is currently working on authorising the warrants application process, with AFP Deputy Commissioner Ian McCartney saying that this process would be resolved in the coming weeks.  In the AFP’s annual report [PDF] released last week, the law enforcement agency said the past year has seen it expand cyber operational capacity and build technical capabilities as part of an $90 million investment by the Australian Government across four years. This includes the ransomware action plan’s new Orcus taskforce and an AFP-led multi-agency taskforce called Dolos for targeting fraud that used compromised business emails.The AFP added that it carried out 163 disruption activities and charged eight offenders with 21 offences in relation to cybercrime during 2020-21. Related Coverage More

Singtel has sold off its payment card compliance business Trustwave in a deal worth $80 million, as part of efforts to “optimise” the group’s resource allocation and growth focus. The move is part of the Singapore telco’s strategic review of its digital businesses that kicked off in May this year.Parked under its cybersecurity brand Trustwave, SecureTrust was sold off to Sysnet Global Solutions for a cash consideration of $80 million, Singtel said in a statement Monday. It added that some Trustwave assets deemed “complementary” to the telco’s telecommunications and systems integration business in Asia-Pacific would be transferred to Singtel as well as its subsidiaries NCS and Optus. This integration would allow for “closer alignment” with the respective business unit’s core products and services and enable each to focus on core competencies, Singtel said. 

The SecureTrust sale would put Singtel’s cybersecurity revenue in the region at SG$350 million ($259.57 million), the telco said.Singtel Group CEO Yuen Kuan Moon said: “This divestment is the first step following an extensive review of the Trustwave business and serves to sharpen its focus and reposition it for growth. With enterprises pivoting fast to hybrid, multi-cloud environments, the cyber threat landscape has changed considerably and the need for a focused set of services centred on managed threat detection and response has grown.”Trustwave would focus its core offerings on managed detection and response, managed security services, and consulting services, Yuen added.Singtel’s systems integration business NCS in July announced a “strategic reset” to pivot from a traditional ICT company primarily based in Singapore, to become a pan-Asia digital and technology services player. With expansion plans targeted for Australia and Greater China, NCS said it planned to add 2,000 new roles over two years and had earmarked earmarked six key sectors to drive its growth into the enterprise space, including healthcare and financial services.

Singtel, alongside joint bidder, Grab secured one of four digital bank licences in Singapore last December. In their pitch for the licence, the two partners said they would look to target “digital-first” consumers and small and midsize businesses, offering products and services to address the “unmet and underserved” of these market segments. Grab owns a 60% stake in the partnership. Digital bank licensees were expected to begin operations in the country from early-2022. RELATED COVERAGE More

As the world opens up again to travel, so you may want to get a head start and learn a new language or two. But you also need to remember to protect yourself with a maximum-strength VPN, both at home and abroad. Here are 10 great deals on some of the best VPN services on the market:KeepSolid VPN Unlimited: Lifetime SubscriptionDo you want a VPN that has it all? KeepSolid offers unlimited speed and bandwidth on over 400 servers, plus ultimate security that includes military-grade encryption, a kill switch, zero-logging, and more. This one is tough to beat.For a limited time only, get KeepSolid VPN Unlimited: Lifetime Subscription for $39.99 (reg. $199).FastestVPN: Lifetime Subscription (5 Devices)Get a lifetime of ultimate VPN protection for up to five devices. In addition to military-grade encryption, you get a NAT firewall, kill switch, zero logging, anti-malware, ad blocker, and much more.For a limited time only, get FastestVPN: Lifetime Subscription (5 Devices) for $19.99 (reg. $24.99).BulletVPN: Lifetime SubscriptionThis is a VPN bargain for new users with fast servers in 51 countries. According to The VPN Guru:”If you are looking for a reliable, fast, and secure VPN provider, I would definitely recommend BulletVPN.”

For a limited time only, get BulletVPN: Lifetime Subscription for $38.99 (reg. $540).Disconnect VPN Premium: Lifetime Subscription (5 Devices)Get a VPN that keeps you safe without slowing you down. The New York Times says:”We researched and tested four tracker blockers and found their results varied widely. In the end, the app Disconnect became our anti-tracking tool of choice”For a limited time only, get Disconnect VPN Premium: Lifetime Subscription (5 Devices) for $39.99 (reg. $700).SlickVPN: Lifetime SubscriptionIf you’re looking for the best VPN for blazing-fast anonymous torrenting, look no further. It has 125 gateways, all with mega-secure encryption.For a limited time only, get SlickVPN: Lifetime Subscription for $19.99 (reg. $1200).WifiMask VPN Unlimited Devices: 3-Year SubscriptionUsers new to WiFiMask can get a deal on speedy, secure VPN protection on all of their devices. Access 21 servers spread over eight countries.For a limited time only, get WifiMask VPN Unlimited Devices: 3-Year Subscription for $39.99 (reg. $143).Hop VPN: Lifetime SubscriptionHop is offering new users a lifetime of VPN protection from snooping, firewalls, and blocking. Turn your entire home into a VPN server.For a limited time only, get Hop VPN: Lifetime Subscription for $39.99 (reg. $148).BelkaVPN: Lifetime SubscriptionFirst-time Belka subscribers can get a great deal on a lifetime of zero-latency VPN protection. Access to over 120 servers, encryption, no logging, and much more are all included.For a limited time only, get BelkaVPN: Lifetime Subscription for $39.99 (reg. $719).VPN.asia: 10-Year SubscriptionVPN coverage in Asia can be hard to come by. But new users can get VPN protection in Asia at a huge discount for a full 10 years.For a limited time only, get VPN.asia: 10-Year Subscription for $79.99 (reg. $1080).AdGuard VPN: 1-Year SubscriptionNow new users can get convenient VPN protection from AdGuard for up to five devices. In addition to all the usual protection, the service will automatically show you the closest and fastest servers.For a limited time only, get AdGuard VPN: 1-Year Subscription for $$19.99 (reg. $71). More

CISA has announced awards of $2 million to two organizations training underserved communities in cybersecurity. The funding will go to NPower and CyberWarrior, two programs helping to train veterans, military spouses, women and people of color for cybersecurity positions. These are the first awards of their kind handed out by CISA. CISA Director Jen Easterly said addressing the cyber workforce shortage requires the agency to proactively seek out, find and foster prospective talent from nontraditional places. “CISA is dedicated to recruiting and training individuals from all areas and all backgrounds with the aptitude and attitude to succeed in this exciting field,” Easterly said. “It’s not just the right thing to do; it’s the smart thing to do — for the mission and the country. We’re best positioned to solve the cyber challenges facing our nation when we have a diverse range of thought bringing every perspective to the problem.”The organizations are targeting communities with high unemployment as well as those who are underemployed and underserved in both rural and urban areas. CISA explained that they are looking to support programs that benefit communities and populations that may not have access to training programs centered around cybersecurity. CISA, CyberWarrior and NPower will work with them to “develop a scalable and replicable proof of concept to successfully identify and train talented individuals around the country.

They noted that the effort will help address the “staggering” shortage of cybersecurity talent facing the country. “CyberWarrior is honored to take part in the Cybersecurity Workforce Development and Training Pilot for Underserved Communities,” said Reinier Moquete, founder of the CyberWarrior Foundation. “Working with CISA and other stakeholders, our 28-week bootcamp program will train persons from underserved populations for a career in cybersecurity. We encourage prospective students, employers and workforce stakeholders to reach out and join us in building opportunities for these individuals.”According to CISA, the three-year program seeks to establish a cybersecurity pathways retention strategy while also providing entry-level cybersecurity training and hands-on professional development experience through apprenticeships.Bertina Ceccarelli, CEO of NPower, said her organization’s cybersecurity program offer young adults and veterans the opportunity to advance their careers and deepen their specialties. “This is particularly important for individuals coming from underrepresented communities that systemically lack access to those specialized skills,” Ceccarelli said. “We are honored for the support from CISA, which will enable NPower to expand our reach to trainees across the country.”The award is part of a larger effort by CISA and other agencies to diversify the cybersecurity industry. On Friday, Easterly, NSA cybersecurity director Rob Joyce and Institute for Security and Technology CEO Philip Reiner handed their Twitter accounts over to three Black women, who spoke about their experiences in the tech industry while urging other women of color to join in.CISA has also created a CYBER.org initiative and Cyber Education and Training Assistance Program to promote cybersecurity among young people.  More

Cybersecurity researchers at Bitdefender have detailed how cyber criminals have been using FiveSys, a rootkit that somehow made its way through the driver certification process to be digitally signed by Microsoft.  The valid signature enables the rootkit – malicious software that allows cyber criminals to access and control infected computers – to appear valid and bypass operating systems restrictions and gain what researchers describe as “virtually unlimited privileges”. It’s known for cyber criminals to use stolen digital certificates, but in this case, they’ve managed to acquire a valid one. It’s a still a mystery how cyber criminals were able to get hold of a valid certificate. “Chances is that it was submitted for validation and somehow it got through the checks. While the digital signing requirements detect and stop most of the rootkits, they are not foolproof,” Bogdan Botezatu, director of threat research and reporting at Bitdefender told ZDNet. It’s uncertain how FiveSys is actually distributed, but researchers believe that it’s bundled with cracked software downloads. SEE: A winning strategy for cybersecurity (ZDNet special report) Once installed, FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser won’t warn about the unknown identity of the proxy. This also blocks other malware from writing on the drivers, in what’s likely an attempt to stop other cyber criminals from taking advantage of the compromised system. 

Analysis of attacks shows that FiveSys rootkit is being used in cyber attacks targeting online gamers, with the aim of stealing login credentials and the ability to hijack in-game purchases. The popularity of online games means that a lot of money can be involved – not only because banking details are connected to accounts, but also because prestigious virtual items can fetch large sums of money when sold, meaning attackers could exploit access to steal and sell these items. Currently, the attacks are targeting gamers in China – which is where researchers also believe that the attackers are operating from.  The campaign started slowly in late 2020, but massively expanded during the course of summer 2021. The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature. ZDNet contacted Microsoft but hadn’t received a response at the time of publication. While the rootkit is currently being used to steal login credentials from gaming accounts, it’s possible that it could be directed at other targets in future. But by taking some relatively simple cybersecurity precautions, it’s possible to avoid falling victim to this or similar attacks. “In order to stay safe, we recommend that users only download software from the vendor’s website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start,” said Botezatu. MORE ON CYBERSECURITY More