Information Technology

Twelve people have been targeted by an international law enforcement operation for involvement in over 1,800 ransomware attacks on critical infrastructure and large organisations around the world. A statement by Europol describes the 12 suspects in Ukraine and Switzerland as “high-value targets” responsible for “wreaking havoc across the world” by distributing LockerGoga, MegaCortex, Dharma and other ransomware attacks against organisations in 71 countries.But it’s unclear if the individuals have been arrested or charged – a Europol spokesperson told ZDNet that “the judicial process is ongoing”.

ZDNet Recommends

The suspects are believed to have various different roles in “aggressive” criminal organisations responsible for encrypting networks with ransomware and demanding a payment in exchange for the decryption key.   SEE: A winning strategy for cybersecurity (ZDNet special report)    Some of the suspects are thought to be involved in compromising the IT networks of targets, while others are suspected of being in charge of laundering Bitcoin payments made by victims.  Europol says that those responsible for breaking into networks did so by using techniques including brute force attacks, SQL injections and sending phishing emails with malicious attachments in order to steal usernames and passwords. 

Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Colbalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.As a result of the operation, over $52,000 in cash was seized, alongside five luxury cars. A number of computers have also been seized and are being examined in order to secure evidence and identify new leads. In total, more than 50 investigators from agencies around the world – including six Europol specialists – were involved in the operation, which was coordinated by Europol’s European Cybercrime Centre (EC3).SEE: Cloud security in 2021: A business guide to essential tools and best practicesThis included: Norways’s National Crime Investigation Service; France’s National Police and the Public Prosecutor’s Office of Paris; the Dutch National Police and National Public Prosecution Service; Ukraine’s National Police of Ukraine and Prosecutor General’s Office; the United Kingdom’s National Crime Agency (NCA) and Police Scotland; Germany’s Police Headquarters Reutlingen; the Switzerland Federal Police and Polizei Basel-Landschaft: and the United States Federal Bureau of Investigations (FBI) and Secret Service. A recent European Union Agency for Cybersecurity report warned that ransomware is the biggest cybersecurity issue facing the world today. MORE ON CYBERSECURITY More

It’s time to update Chrome and once again, for the third month in a row, Google has fixed two previously unknown ‘zero-day’ bugs in the world’s most popular desktop browser.Google disclosed that it had patched the two high-severity zero-day flaws in release notes for the stable release of Chrome version 95.0.4638.69 for Windows, Mac and Linux. Any version number higher than that will have the fixes.

ZDNet Recommends

It’s a good idea to check out Google’s support page for Chrome updates, which explains how Chrome can be set to automatically update when patches become available. Otherwise, Chrome has an ‘Update’ button that is coloured red if an update is at least a week old, indicating that it should be installed.SEE: This new ransomware encrypts your data and makes some nasty threats, tooThe two zero-day flaws — which are being exploited by attackers now — are being tracked with the identifiers CVE-2021-38000 and CVE-2021-38003. Both were found by Google’s Threat Analysis Group (TAG), which tracks state-sponsored and cyber-criminal exploit activity. The second of the two zero-days was also reported by Samuel Groß from Google Project Zero on 26 October, indicating how fast Google is responding to zero-day discoveries.CVE-2021-38000 is a design flaw due to “insufficient validation of untrusted input in Intents”. It was reported by TAG on September 15.

CVE-2021-38003 — a memory corruption flaw, according to Google Project Zero’s zero-day tracker — is described vaguely as “inappropriate implementation in V8”. V8 is Chrome’s powerful JavaScript engine that Groß hopes to shore up with additional sandboxing protections. As he noted in his proposal, V8 bugs allow attackers to create “unusually powerful exploits” that are hard to mitigate with existing security technologies.”Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,” Google said in release notes. The update will roll out over the coming days or weeks, according to Google. There are eight, mostly memory-related, security fixes in this Chrome update. The currently listed high-severity flaws include a use-after-free in Sign-in, another use-after-free in Chrome’s garbage collection, insufficient data validation in Chrome’s New Tab page, a type confusion in V8, and a use-after-free in Web Transport.SEE: Cloud security in 2021: A business guide to essential tools and best practicesThis Chrome release marks the 14th zero-day flaw Google has patched in Chrome this year. The 10th was in mid-September when it patched two zero-days. It patched two more zero-days at the end of September and a further two on Thursday.Google hasn’t attributed the exploits to any hacking group. That Google has patched an unusually high number of zero-day flaws in Chrome in 2021 could be interpreted in several ways. The more that get discovered and the quicker they’re fixed via updates is good for end-users. Once patched, the exploit is less valuable. This could mean defenders are getting better at spotting zero-days.On the other hand, Google Project Zero has seen an uptick in zero-days affecting major platforms like Chrome, Windows, and iOS in the past year. The reason for that could be the commercialisation of the zero-day exploit market, providing a shortcut to the acquisition of exploits that otherwise require skills to develop. More

Australian Federal Police (AFP) has ordered an individual to forfeit AU$1.66 million for stealing the log-ins and passwords for Hulu, Netflix, and Spotify accounts. The culprit, based in Sydney, conspired with another individual from the US to steal the log-ins and passwords of streaming service customers and then sold them online at a cheaper rate. The AFP began investigating the matter in May 2018, after it was tipped by the FBI about a now-defunct account generator website called WickedGen.com. WickedGen was a website that sold stolen account details for online subscription services, including Netflix, Spotify, and Hulu. The account details belonged to unknowing victims in Australia and internationally, including the US. The Sydney individual was found to be the creator, administrator, and primary financial beneficiary of WickedGen and three other sites that offered similar services. Across the four websites, the offender had over 150,000 registered users and provided almost 86,000 subscriptions to illegally access legitimate streaming services. The Sydney-based individual pleaded guilty to stealing these log-ins and passwords in October last year. After the guilty plea, the AFP’s Criminal Assets Confiscation Taskforce (CACT) obtained restraining orders over the individual’s cryptocurrency, and bank and PayPal accounts that were held under false names. All up, the AFP has collected AU$1.66 million from the charged individual, with AU$1.2 million of that amount being cryptocurrency.

The funds will be redistributed by the Department of Home Affairs for supporting crime prevention, law enforcement, and community-safety related initiatives, the AFP said. The charged individual will now face a two years and two months prison sentence. The use of online subscriptions have been on the rise in Australia, with almost the same number of Australians watching content from online subscription streaming services, like Netflix, when compared to those who watch free-to-air television. The findings, published by the Australian Bureau of Communications, Arts and Regional Research, found that the popularity of over-the-top services have continued to grow as 70% of Australians watched this type of content as of the end of last year, which is almost triple the amount from 2016. Related Coverage More

A demonstration of Cellebrite technology being used.
Image: Getty Images
In testimony to Australia’s Senate Estimates, Services Australia said its use of Cellebrite software has only been for looking into fraud and identity theft matters. Cellebrite, an Israeli digital intelligence company, is best known for its controversial phone-cracking technology, which it previously claimed could download most data from almost any device on behalf of government agencies. “We’re very aware that we have a role of assurance over AU$200 billion of social support in Medicare and Centrelink programs and so the integrity of those outlays is important,” Services Australia acting-deputy CEO of payments and integrity Chris Birrer said. “We do have a system of compliance in terms of ensuring that people are complying with their mutual obligations under the income support payment and that we take very seriously making sure people are paid the right amount.” Facing questioning around how Services Australia uses Cellebrite’s technology, Birrer said it is only used in fraud and identity theft cases, which has included cases where people have falsely claimed the government disaster relief payments, uploaded images that do not relate to Australia to commit fraud, and stolen the identities of actual customers to hijack payments. According to The Guardian, Services Australia reportedly has a AU$1.2 million contract with the digital intelligence company.  When asked by Senators whether Services Australia could guarantee that the privacy rights of Australian citizens would not be violated, Birrer answered vaguely, opting to instead explain how the agency provides information to customers about how to make reporting changes.

“We publish all information in relation to what [customers’] obligations are in terms of particularly reporting changes of circumstances. That’s made very clear in terms of when people enter onto payment and in the information we provide. In fact, we’ve got a lot of success now in nudging people and presenting information to customers just to remind them to report changes in circumstances that might have resulted in an adjustment to their payment,” he said.Services Australia, which falls under the Minister for Government Services remit, was also questioned about its handling of robo-debt, the government income compliance system that wrongfully issued debts to hundreds of thousands of people. Of the AU$752 million owed by the government for its bungled robo-debt system, AU$740 million has so far been refunded, Services Australia CEO Rebecca Skinner said Senate Estimates. The remaining AU$12 million, which is owed to around 9,200 customers, continued to be outstanding as the agency is still trying to locate these customers, Skinner said. She explained that these customers were harder to find due to estate issues and some of them no longer being customers. Throughout Services Australia’s appearance, Minister for Government Services Linda Reynolds was also repeatedly asked why she continued to refuse to provide documents about the legal advice Services Australia received in implementing robo-debt. Reynolds, in response, maintained that Services Australia’s claim to public interest immunity continued to stand.Since the end of 2019, a Senate committee has been seeking for Services Australia to provide information regarding the legal advice it received in implementing the robo-debt system, while the agency has refused to provide that information under a claim of public interest immunity.  Services Australia’s claim of public interest immunity was rejected in February last year as the Senate committee said the reasons provided for that claim to exist were insufficient. The committee then similarly rejected Reynolds’ claim of public interest immunity in August.    “The Senate has now rejected your PII claim on multiple occasions. And this is now hitting the point where it’s absolutely obstructive to the work of the Senate on behalf of the Australian people. We’re not talking about a few people here. Hundreds of thousands of Australians was served any legal debt by your government,” Labor Senator Deborah O’Neill said. Related Coverage More

Public key infrastructure (PKI) is a system of processes, technologies, and policies for encrypting and signing data. It plays an essential role in authenticating users, servers, devices, software, and digital documents. Yet enterprises are struggling with the growing number of PKI certificates they must manage, and many are considering PKI automation to address this problem, according to a new DigiCert report.The report, “State of PKI Automation 2021,” explores how organizations are handling the challenge of PKI certificate management. Expired certificates are a problem because they disable encryption and create an attack surface for hackers. DigiCert commissioned ReRez Research to survey IT leaders from 400 global organizations of 1,000 employees or more. The survey focused on specialists managing digital certificates for users, servers, and mobile devices.The report revealed that today’s organizations manage more than 50,000 certificates, a steep upsurge from previous years. More than half (61 percent) are concerned about the time it takes to manage certificates. According to 37 percent of the respondents, their organization has three or more departments managing certificates, which creates silos that hide certificates from IT security teams until something goes wrong. A lot of unmanaged keys are out thereA typical organization has as many as 1,200 certificates that are unmanaged, while 47 percent of organizations say they often discover rogue certificates. Rogue certificates are essentially a form of shadow IT, certificates that are ordered outside the purview or processes of IT and frequently are neglected and not managed. This is causing major problems for organizations, such as outages due to certificates expiring unexpectedly, which two-thirds of the respondents have experienced. Even more troubling, one in four organizations have experienced five to six PKI-related outages in the past six months.Organizations struggling with PKI certificate management lack visibility into their certificate deployment landscape and need PKI automation. In fact, most organizations (91 percent) are thinking about it. Only 9 percent of the respondents aren’t discussing PKI automation and have no plans to do so. For 70 percent of the respondents, a solution is likely to be implemented within 12 months. A quarter of the respondents are either implementing or have finished implementing a solution. To gauge how companies are approaching PKI automation, DigiCert separated the respondents into groups of leaders and laggards. The results showed major differences between the two groups. Not surprisingly, 33 percent of those in the leader category are more likely to say PKI automation is important.When diving deeper into the data, the report found the leaders are two or three times better at reducing PKI security risks, avoiding PKI downtime, minimizing rogue certificates, managing digital certificates, and meeting PKI service level agreements (SLAs). In contrast, the laggards — those who aren’t skilled at managing PKI certificates — experience problems with compliance, security, and delays. They’re also less productive, overworked, and losing revenue.  Reining in rogue certificates

Furthermore, PKI management leaders are more accountable for their certificate inventories, whereas laggards are less concerned. When comparing the two groups, the leaders reported fewer certificate-related outages or rogue certificates.While most organizations believe PKI automation is important, the transition isn’t easy. Respondents cited several challenges related to automation, such as cost, complexity, compliance, and resistance to change by staff and management. That’s why DigiCert recommends organizations take several key steps to assess their PKI certificate management prior to automation. Organizations should:Identify and create an inventory of the entire certificate landscape, from TLS to code signing, and client certificates.Remediate keys and certificates that don’t comply with corporate policies.Protect with best practices for issuance and revocation. Standardize and automate enrollment, issuance and renewal. Monitor for new changes.Common certificate workflows include web servers, device identity, code signing, digital signatures, and identity and access functions. When automating certificate workflows, DigiCert recommends organizations should identify unmanaged or manual certificate workflows, adopt automation software that centralizes and manages certificate workflows, and finally, monitor with centralized visibility and control of the workflows. More

A luxury hotel chain in Thailand is reporting a data breach thanks to a notorious group of cybercriminals who have been behind a spate of attacks in recent weeks. Thirayuth Chirathivat, CEO of Centara Hotels & Resorts, said in a statement that on October 14, they were “made aware” of a cyberattack on the hotel chain’s network.An investigation confirmed that cyber attackers had in fact breached their system and accessed the data of some customers. The data accessed includes names, booking information, phone numbers, email addresses, home addresses and photos of IDs. The company did not say if the IDs accessed included passports, which are often asked for by hotels like Centara Hotels & Resorts.”Whilst the breach has been successfully contained, the investigation into the source, root cause and complete extent of the incident remains ongoing and we will provide more information when it becomes available,” Chirathivat said.Chirathivat went on to urge the hotel’s customers to “change their passwords as soon as possible, and to remain aware of any suspicious or unsolicited calls and/or emails requesting personal information.” “We can confirm that we at Centara Hotels & Resorts will not be contacting you to ask for any personal identifiable information,” Chirathivat added, noting that anyone with questions should email or call the hotel. 

The Desorden Group — which claimed responsibility for two recent attacks on laptop maker Acer — said it was behind the attack on Centara Hotels & Resorts. In addition to the hack on Centara Hotels & Resorts, Desorden claimed to have breached the servers of Central Group, which owns the hotel chain and more than 2,000 restaurants across Thailand. That breach involved 80 GBs of files including personal information of customers and business details of each restaurant. In messages to ZDNet, the group claimed the hotel hack was part of the larger attack on Central Group. Central Group is owned by the Chirathivat family, who are worth $11.6 billion. The family, led by Tos Chirathivat, controls thousands of food, fashion, property and building materials businesses across Thailand.The hacker group, which has attacked a number of companies across Asia in recent years, would not respond to questions about whether this was a ransomware attack but claimed they “basically brought down their entire backend, which consists of 5 servers.”They said they stole 400 GB of files over the course of 10 days and added that the data includes information about anyone who stayed at any of the 70 luxury hotels owned by the Thai conglomerate between 2003 and 2021. They claimed the data includes people’s passport numbers and ID numbers. There was even data from people who booked in advance until December 2021.The stolen files also allegedly include business data and employee information. The group tried to claim that they were “assisting” the hotel by showing them how they might “mitigate future attacks” and said they were the ones who notified the company that they had been hacked. Operators connected to Desorden said they were negotiating a ransom payment of $900,000 but the company backed out of the deal on Tuesday. The group is now threatening to leak the information. Centara Hotels & Resorts and Central Restaurants Group did not respond to requests for comment about the claims made by the hackers. The Desorden Group also claimed an attack on the Malaysian servers of ABX Express Enterprise in September.  More

Getty Images/iStockphoto
Here’s how this works. You’re searching a well-known jobs board and you see a remote work listing from a company you know and respect. The job fits your skill set and background well, so you apply. You upload your resume data as well as the usual personal identification data a prospective employer needs to see.

After a short but expected delay, you’re invited to a Skype interview. You take a shower, put on your best shirt and tie, comb your hair, and prepare for the meeting. At the appointed time, you join the interview and speak for some time to Jennifer and Antonio. The interview goes well. Also: HTTPS threats grow more than 314% through 2021You spend a day or so hoping that this will be the one. You’re really desperate for a new gig, and this looks promising. Finally, you find out that you’ve been hired. You’ve got the job! Not only do you have the job, but the company has a work-from-home allowance for furniture and gear for your home office. You’re sent a check for several thousand dollars, but you’re told you need to make your purchases at an approved supplier. Unfortunately, the check takes a while to clear and meanwhile, you need to get started working. So, knowing the money is in the bank (or about to be), you go ahead and make your furniture purchases. Technically, you’re using your own money, but those expenses will be covered in a few days from your new blue chip employer. It’s at this point — and you probably don’t know it yet — you’ve been scammed out of a few thousand bucks.

Yeah, there are people out there scamming people who need work out of what’s left of their savings. Credit goes to the folks at Wordfence for doing a deep dive on this scam. Anatomy of a scam As you’ve probably figured out, “Jennifer” and “Antonio” are not their real names. And the blue chip employer you think you’ve been hired by did not post that job listing. The preferred supplier you bought your office furniture from doesn’t exist. The thousands of dollars will never clear in your account. And you’ve just sent PII and the last of your savings to the scammers. The perpetrators of this style scam are apparently very active, posting job listings that seem legitimate. According to Wordfence, lots of people are falling victim to this scam. Because, yes, what the world needs is scam listings on job boards. So how do you protect yourself? At the start of the process, it’s going to be hard to tell legitimate job listings from scams. As we always advise, keep an eye out for telltale signs: misspellings, grammatical errors, listings that don’t seem internally consistent, and so forth. Pay attention in the interview. I’d say keep an eye out for interviewers that don’t seem polished, but after having had far more Skype and Zoom meetings than I’d care to think about in the past two years, I must admit that the verifiably legitimate corporate types I’ve worked with (especially since the pandemic has been wearing on for so long) aren’t displaying the old-school corporate polish anymore either. Also: Microsoft warns over uptick in password spraying attacksInstead, keep a situational awareness of the interview and job-related knowledge. Does it feel like a comprehensive job interview? Listen to your Spidey-Sense. And finally — don’t spend money with preferred suppliers. Don’t do it. If you’re required to have a certain laptop or certain furniture, get it from a known supplier with a clear return policy. Wait until funds are cleared into your account. Don’t give out your account number. I know this last one is hard in a world of direct deposit, but point out this scam to your new employer. Another tactic: open up a new account just for that employer to deposit into, until you’re sure it’s safe. A legitimate employer will understand your need to wait a few paychecks before parting with this level of confidential information. And, if you have a new employer who shows no empathy, skip it. Whether they’re actually hiring or trying to scam you, it’s not worth taking a job from an employer who doesn’t respect your need to protect yourself from this kind of scam. It will end badly anyway. So that’s it. Keep your head on a swivel. Good luck and stay safe out there. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

This is not a nice person. You must defend yourself.
Screenshot by ZDNet
You know why you bought an Amazon Ring or a Google Nest video doorbell, don’t you?

It’s because everyone on the street has them, and you’ll be darned if you’re going to be left behind in the surveillance game.Yes, you might be helping the police along the way, but you’ll also be able to see who comes to your door from miles away. And haven’t we always wanted to do that?But there’s a certain dishonest niceness in the way that Amazon and Google peddle these devices. It’s all about giving you the additional veneer of safety — and Big Tech the additional hope that it can track you just that little bit more.I was uplifted to thoughts of taking a smiling selfie, therefore, when I saw how a smaller video doorbell rival was approaching its marketing.Wyze, a company created by former Amazon employees, believes it’s “the most customer-centric smart home technology.” It insists it’s offering “access to high-quality products at great prices.”And it would like you to buy its video doorbell not because of price, but because of something far more emotional. In Wyze’s own words, emerging from a new ad: “The world is full of little turds like this one.”

The tiny poop-person is, indeed, someone who thinks it’s funny — or, perhaps, deeply meaningful — to leave some of his personal waste product on the pristine American doorsteps of his neighbors.

[embedded content]

But the tiny poop-person isn’t the only awful human being in the world. And, given that he’s only around ten years old, you might argue there’s still hope for him.

Less so for the package delivery man who kicks your package to your porch from his van. And what happens if you try to rectify these difficult situations yourself? Well, the tiny poop-person has tiny, poopy little friends who will chase you and throw raw eggs at you. (I wonder if they had them delivered by Amazon.)Oh, there are supposedly some other benefits to getting a
Wyze Video Doorbell Pro

. The joy of the chime being included, for example. The delight of six months battery life, too.But America is currently a country of permanent conflict. Our neighbors are no longer our friends. Our service people have no interest in making us happy. Even little children are programmed to cause us strife at any given moment. Do you want a burning bag of excrement on your doorstep? No, of course you don’t.We therefore, have to stand our ground and defend our personal peace with every piece of technology we can.”Wyze Video Doorbell Pro, For Everything Out There,” says the ad.What the company really means is: “Buy One Of Our Video Doorbells Because Other People Are Truly Awful And Disgusting.”A far more honest strategy, that.

ZDNet Recommends More