Information Technology

Ferrara Candy — the candy giant behind Nerds, Laffy Taffy, Now and Laters, SweetTarts, Jaw Busters, Nips, Runts and Gobstoppers — announced that it was hit with a ransomware attack just weeks before it prepares for one of its biggest holidays: Halloween.The Illinois-based company told ZDNet in a statement that on October 9, they “disrupted a ransomware attack” that encrypted some of their systems. “Upon discovery, we immediately responded to secure all systems and commence an investigation into the nature and scope of this incident. Ferrara is cooperating with law enforcement, and our technical team is working closely with third-party specialists to restore impacted systems as expeditiously fully and as safely as possible,” Ferrara said in a statement to ZDNet. “We have resumed production in select manufacturing facilities, and we are shipping from all of our distribution centers across the country, near to capacity. We are also now working to process all orders in our queue. We want to assure consumers that Ferrara’s Halloween products are on shelves at retailers across the country ahead of the holiday.”Ferrara did not say if it paid a ransom or what ransomware group attacked their systems.The Chicago Tribune and Crain’s Chicago were the first to report the attack. Danny Lopez, CEO of cybersecurity company Glasswall, said it was likely no coincidence that attackers hit a candy company’s supply chain just before Halloween — knowing full well the urgency and demand at this time of year would have increased the likelihood that they would get the payment desired. 

Cerberus Sentinel vice president Chris Clements added that the situation was more evidence that every company needs to plan for a “worst-case scenario” like a ransomware attack. But even as organizations beef up their defenses, ransomware actors are changing their methods as well. “One such tactic is understanding when is likely to be the victim’s busiest season that can least afford systems downtime and waiting until that has begun to launch their ransomware attack.  After all, a compromised business that doesn’t detect the attacker on day 1 is unlikely to detect the attacker on day 90, especially if the attacker is simply waiting for the opportune time to launch their ransomware,” Clements said. “By doing so, cybercriminals can make any service disruptions and restoration delays maximally painful to their victim to further coerce them to pay the extortion demand rather than attempt to restore systems or data themselves.” More

Microsoft has detailed an unusual phishing campaign aimed at stealing passwords that uses a phishing kit built using pieces of code copied from other hackers’ work.A “phishing kit” is the various software or services designed to facilitate phishing attacks. In this case, the kit has been called ZooToday by Microsoft after some text used by the kit. Microsoft also described it as a ‘Franken-Phish’ because it is made up of different elements, some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.

ZDNet Recommends

Microsoft said TodayZoo is using the WorkMail domain AwsApps[.]com to pump out email with links to phishing pages mimicking the Microsoft 365 login page.SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacksMicrosoft says the attackers have been creating malicious AWS WorkMail accounts “at scale” but are just using randomly generated domain names instead of names that would represent a legitimate company. In other words, it’s a crude phishing product likely made on a thin budget, but large enough to be noticeable. It caught Microsoft’s attention because it impersonated Microsoft’s brand and used a technique called “zero-point font obfuscation” – HTML text with a zero font size in an email – to dodge human detection. Microsoft detected an uptick in zero-font attacks in July.  TodayZoo campaigns in April and May of this year typically impersonated Microsoft 365 login pages and a password-reset request. However. Microsoft found that campaigns in August used Xerox-branded fax and scanner notifications to dupe workers into giving up credentials. 

Microsoft’s threat researchers have found that most of the phishing landing pages were hosted within cloud provider DigitalOcean. Those pages were identical to the Microsoft 365 signin page.Another unusual trait was that after harvesting credentials, the stolen information was not forwarded to other email accounts but stored on the site itself. This behaviour was a trait of the TodayZoo phishing kit, which has previously focussed on phishing credentials from Zoom video-meeting accounts.SEE: These stealthy hackers avoid Windows but target Linux as they look to steal phone dataBut Microsoft researchers believe this phishing group is a single operation rather than a network of agents. “While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own,” Microsoft said. Microsoft says it informed Amazon about the TodayZoo phishing campaign and that AWS “promptly took action”.  More

A former sales representative of a mobile carrier has been sentenced after accepting bribes to perform SIM-swapping attacks. 

This week, the US Department of Justice (DoJ) said that Stephen Defiore, a Florida resident, accepted “multiple bribes” of up to $500 per day to perform the switches required to reroute phone numbers in SIM-swapping. SIM-swapping is quickly becoming a serious issue for telecommunications firms — made worse when employees, who have access to internal systems — are involved.  These attacks require either internal help or the use of social engineering to convince a carrier to reroute calls and text messages from one handset to another. SIM-swapping is often performed to circumvent security controls including two-factor authentication (2FA) and to compromise accounts for services including banking and cryptocurrency wallets.  The victims may only have a small window of time to rectify the situation once they realize that phone calls and messages are not being received — but by the time they reach their service provider, attackers may have already secured the second-level security codes required to hijack other accounts.  Rather than go through the effort of obtaining enough information on a target to successfully manage to pretend to be the victim on a phone call, some attackers try to recruit insider help.  In this case, between 2017 and 2018, Defiore was a sales representative for an unnamed carrier. 

The 36-year-old accepted bribes of roughly $500 to perform SIM-swapping on behalf of someone else. For each case, he would be sent a phone number, a four-digit PIN, and a SIM card number to be swapped with the victim’s handset details.  At least 19 customers were targeted and prosecutors estimate that the employee received $2,325 in bribes.  Following his arrest, Defiore pleaded guilty to one count of conspiracy to commit wire fraud.  US Attorney Duane Evans said that Defiore was sentenced on October 19 and will serve three months probation, a year of home confinement, and must perform 100 hours of community service.  The SIM-swapper must also pay a $100 fee and $77,417.50 in restitution.  Last year, Europol took down a massive SIM-swapping ring responsible for the theft of millions of euros. Operations Quinientos Dusim and Smart Cash combined law enforcement from multiple countries in the region, leading to multiple arrests.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

South African police have arrested eight suspects in connection to romance scams that defrauded at least 100 women.

The gang used “sob stories” as a lure to push women — including widows and divorcees — to give them money, as reported by the BBC. Law enforcement agencies, including the FBI, the Secret Service, and Europol, estimate that over the course of the scam, victims suffered close to $7 million in losses.  According to Cape Town police, the suspects were arrested in an organized raid at multiple locations in the early morning of October 19. Ranging in age from 33 to 52 years old, the suspects are allegedly tied to a wider transnational organized crime syndicate in Nigeria known as the “Black Axe”.  TimesLive reports that Black Axe has been operating romance scams since 2011. “It is alleged that these suspects, allegedly preyed on victims, many of whom are vulnerable widows or divorcees who were led to believe that they were in a genuine romantic relationship but were scammed out of their hard-earned money,” local police claim. “The suspects used social media websites, online dating websites to find and connect with their victims.” The sob stories employed by the suspects included a multitude of reasons as to why they needed cash, and quickly. The lines fed to their victims related to taxes that needed to be paid before inheritances were secured; travel overseas for emergencies, and pleas to help them get out of “crippling debt.”

In some cases, payments of 100 million rand (ZAR), roughly $6,800, were made.  The gang not only trolled dating apps and websites in the hunt for victims — they were also allegedly part of Business Email Compromise (BEC) schemes in which email accounts were compromised. When businesses attempted to make payments, the bank details they used were covertly changed to those controlled by the cybercriminals.  Many of the alleged victims are located in the United States, however, South African law enforcement says that the organization also hit those close by — including “neighbors, parents, friends, and family.” US prosecutors have applied to have the suspects extradited. The suspects face charges of aggravated identity theft, money laundering, and conspiracy to commit wire & mail fraud.  “The fraudsters intimidated and berated their victims, ruined their lives, and then disappeared,” the South African police service said in a statement. “We are confident that this investigation will have a significant impact on this region and beyond.” The FBI estimates that $133 million has been lost in romance scams over the course of 2021.  In September, the US Department of Justice (DoJ) convicted a former US Army reservist for operating romance and BEC scams. Together with a co-defendant, the scam artist raked in approximately $1.8 million. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has rolled out a public preview of E2EE for one-to-one Teams calls, bringing its enterprise platform up to par with Facebook’s consumer apps, WhatsApp and Messenger. Microsoft announced the encryption feature was in the works in March at Ignite Spring 2021. E2EE means that neither Microsoft, nor anyone else can access the decrypted contents of a one-to-one call. Facebook in August rolled out E2EE for audio and video calls on its Messenger app.    

Enabling E2EE for Teams calls requires work from both end users and IT admins, whom need to enable it for their users. SEE: When the return to the office happens, don’t leave remote workers out in the coldE2EE works by encrypting information from one point to an intended destination and prevents anyone else from decrypting the transmission. Microsoft notes in a blogpost that real-time video and voice data is protected by E2EE and that both parties need to enable the setting. It doesn’t cover things like chat or file-sharing, which are protected at rest and in-transit by other encryption protocols like HTTPS for secure connections between a device and a website.To allow this feature, admins need to enable Enhanced Encryption policies for Teams users. Admins can enable it across the entire organization or set custom policies that assign the capability to select users. 

Assuming an admin has permitted E2EE via a policy, end users can enable it for a call by going to their avatar and navigating to the Privacy section within Settings. There’s a toggle next to “End-to-end encrypted calls” that can be switched on. When both parties have enabled E2EE, there’s an indicator in the top left of the video indicating it is enabled for that call. Both parties should see that indicator – a shield with a lock. If E2EE isn’t turned on, the indicator is a regular shield icon without the lock. If it is enabled, there’s a 20-digit security code under the indicator that should be the same for both parties. Two parties on a call can validate the 20-digit security codes by reading them to each other to see if they match. If they don’t match, the connection has been intercepted by a man-in-the-middle attack and the call can be terminated.SEE: Video meeting overload is real. Here’s how you can to stop the stress building upTeams calls E2EE is supported on the Teams desktop client for Windows and Mac as well as the latest versions of Teams on iOS and Android. It’s not supported on Teams calls on PSTN. Features that aren’t supported when E2EE is enabled include all the cloud and AI tools Microsoft brings to Teams, such as call recording, as well as live caption and transcription. As for E2EE on group audio and video calls, Microsoft isn’t committing to to anything on that front, but says it is working to “bring end-to-end encryption capabilities to online meetings later.”   More

Ransomware is a major cybersecurity threat to organisations around the world, but it’s possible to reduce the impact of an attack if you have a thorough understanding of your own network and the correct protections are in place. While the best form of defence is to stop ransomware infiltrating the network in the first place, thinking about how the network is put together can help slow down or stop the spread of an attack, even if the intruders have successfully breached the perimeter. 

ZDNet Recommends

One of the best ways to do this is to segment the network, so different parts of the organisation are separated from one another. That means if cyber criminals do get into the network, it’s much harder for them to move about and compromise other systems.SEE: A winning strategy for cybersecurity (ZDNet special report) “You want to make it difficult to cross certain boundaries, so you can lessen the impact of malware or ransomware,” Ed Williams, director of SpiderLabs EMEA at Trustwave, told ZDNet Security Update. “If you can do that and just one business unit gets compromised, then that is much easier to isolate to determine what’s going on, contain it and then bring services back online. [If] it’s an entire organisation, then it gets really difficult.” One of the first things cyber criminals distributing ransomware will do after entering a network – which is often achieved with phishing attacks or exploiting unpatched vulnerabilities – is finding out what the network looks like in order to determine the best way to move around it and eventually execute the ransomware attack. 

It can be difficult for IT departments to audit the entire network to discover everything that’s on it, but if they can do this, they can examine the network and use this knowledge to identify potential vulnerabilities and take the necessary action to prevent attacks. “The first thing that I always recommend all organisations do, regardless of size, is have a really good understanding of what assets they’ve got. The reason why that is, if you don’t know what assets you’ve got, you can’t secure them,” said Williams. SEE: Ransomware attackers targeted this company. Then defenders discovered something curious”Once you’ve got a good understanding of what your assets look like, you can build in layers then, so you can do good vulnerability management to make sure that there’s no exploits available for your kit that’s out there – and making sure you’re doing this regularly because exploits come out quickly and can get weaponised quickly,” he added. The best way to prevent vulnerabilities being exploited is to apply security updates as soon as possible. Ensuring that default or easy-to-guess passwords aren’t used on the network and two-factor authentication is applied to all users can also help to prevent networks falling victim to ransomware and other malware attacks. MORE ON CYBERSECURITY More

My Health Record system’s physical and information security measures used to access the My Health Record system for pathology and diagnostic imaging services did not meet the ADHA’s recommended standard for passwords, according to assessments made by the Office of the Australian Information Commissioner’s (OAIC). “In relation to physical and information security measures, while most assessment targets reported good physical security measures, most did not meet the ADHA’s recommended standard for passwords used to access the My Health Record system,” the OAIC said.Detailed in the OAIC’s annual digital health report [PDF], the agency did note, however, that most of My Health Record’s assessment targets reported having a procedure in place for identifying and responding to My Health Record-related security and privacy risks even though there were areas for improvement in relation to recording matters relevant to security breaches.During the 2020-21 financial year, three data breach notifications were submitted to the OAIC in relation to My Health Record. Two of the three have been finalised.In the agency’s annual report, which was also released this week, it said 975 data breaches were reported in Australia during the 2020-21 financial year. This was 7% less compared to the previous financial year, with the OAIC saying that 80% of the data breaches reported under its Notifiable Data Breaches (NDB) scheme were finalised within 60 days.The average time taken to finalise a data breach notification was 62 days, down from 76 days in 2019–20, according to the annual report [PDF]. Two months ago, the agency revealed that malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 289 breaches, followed by human error which accounted for 134 notifications. “As the [NDB] matures, we see clear trends: Malicious or criminal attacks are the leading source of data breaches, followed by human error,” the OAIC reiterated in the annual report.

During the financial year, the OAIC also received 2,474 privacy complaints, which was similarly 7% less than the 2019-20 financial year. 2,151 of these privacy complaints have been finalised and were done so, on average, in 4.4 months. The finance sector submitted the most privacy complaints this past year, with 327. This was followed by the Australian government with 310, health service providers with 301, while retail and online services rounded out the top five sectors by submitting 177 and 152 privacy complaints, respectively. According to the OAIC, the majority of privacy complaints received by the OAIC were about the handling of personal information under the Australian Privacy Principles (APP). The most common issues raised were regarding use or disclosure of personal information, accounting for 29%, security of personal information with 28%, while 18% of complaints were about access to personal information. The agency also handled 11,647 privacy enquiries and 1,824 freedom of information (FOI) enquiries in 2020-21. While this was 20% less for both types of enquiries compared to the previous year, the agency received almost 40% more FOI complaints, with organisations submitting 151 FOI complaints. The OAIC added that it finalised 174 FOI complaints, with some of that figure being complaints raised from the 2019-20 financial year. It also received 1,224 applications for Information Commissioner (IC) reviews of FOI decisions. It said almost three-quarters of the IC reviews were completed within 12 months, which was around the same rate as last year. The Department of Home Affairs underwent the most IC reviews, being involved in 436. This was more than the combined total of 253 from the next four agencies, which were Services Australia, Australian Federal Police, Department of Health, and the Department of Foreign Affairs and Trade. In 2020–21, the OAIC also issued 17 determinations in relation to complaints alleging breaches of the APP. This was the most determinations the OAIC has made in a year, it said. Among them was a finding last week that 7-Eleven collected customers’ biometric data without consent and Home Affairs “mistakenly” releasing the personal information of 9,251 asylum seekers. As of 30 June 2021, the OAIC has just over 120 full-time staff.  Beyond its staff, the OAIC spent over AU$970,000 on consultancy contracts and around AU$455,000 on non-consultancy contracts. Of those contracts, PricewaterhouseCoopers was paid over AU$660,000 and Cypha Interactive was paid AU$200,000. Related Coverage More

Google issued its Content Removal Transparency Report for the first half of 2021, and warned it has continued to see a rising trend in requests from governments, as they pass new laws to allow content to be removed. “These laws vary by country and region, and require the removal of content on a very wide range of issues — from hate speech to adult content and obscenity, to medical misinformation, to privacy and intellectual property violations,” Google vice president of trust and safety David Graff wrote. “While content removal and local representative laws are often associated with repressive regimes, they are increasingly not limited to such nations.” Leading the way on the number of requests was Russia, India, South Korea, and Turkey, with Pakistan, Brazil, the US, Australia, Vietnam, and Indonesia closing out the top ten. In terms of volume of items asked to be removed, Indonesia led the way thanks to a single request to have over 500,000 URLs removed in the archipelago for violating gambling laws. Google said it removed over 20,000 URLs and was reviewing the remainder. Russia picked up the number two slot, followed by Kazakhstan, Pakistan, South Korea, India, Vietnam, the US, Turkey, and Brazil. In the United States with 404 requests, 45% of requests were related to defamation mainly in search results, followed by trademark-related requests most commonly on YouTube, and privacy and security reasons.

For Australia with a new high of 392 requests, the standout reason was bullying and harassment which made up 80% of requests. Of those 315 requests, 261 were related to Gmail. Defamation led the way in India’s 1,332 requests relating to 28% of government requests, followed by impersonation on 26% which referred mainly to Google Play Apps pages. “We received a request from the Ministry of Electronics and Information Technology, India, the designated authority under Section 69A of the Information Technology Act, 2000, regarding content on Google Play,” the search giant said. “Due to confidentiality restrictions mandated by Section 69A, we are unable to provide any details about the content at issue or the action(s) taken by Google.” During the year to the end of June, Google said it received a request in South Korea to delist around 5,000 URLs relating to “non-consensual explicit imagery of digital sex-crime victims” on its search results, and it removed over 3,000 URLs. South Korea’s 991 requests dealt with privacy or security 80% of the time. Related Coverage More