Information Technology

South Korea telco KT said on Monday that the temporary nationwide shutdown of its network earlier today was caused by a large-scale distributed denial-of-service (DDoS) attack. Customers who use the telco’s network were unable to access the internet for around 40 minutes at around 11am on Monday. Users were unable to use credit cards, trade stocks, or access online apps during that time period. Some large commercial websites were also shut down during the outage. General access to the internet has since been restored for KT users in most areas of the country.  A KT spokesperson said the telco’s network was shut down due to a large-scale DDoS attack. They said that, during the outage, the company’s crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack, the KT spokesperson added. Federal police and the Ministry of Science and ICT said they were also looking into the matter in collaboration with KT. The ministry did not confirm that the network failure was caused by a DDoS attack, but it said the other major telcos SK Telecom and LG Uplus were not affected.

Despite not being victims of the DDoS attack, users of SK Telecom and LG Uplus’ services voiced complaints on social media about these telcos having network failures. Spokespeople for these telcos said the network failures were due to a sudden surge of traffic from KT users shifting onto their services due to KT’s internet outage. Both SK Telecom and LG Uplus representatives said they would be monitoring the situation closely. Related Coverage More

Image: ACT Policing
The Australian Federal Police is conducting an internal review to implement a new cyber offensive arm, AFP commissioner Reece Kershaw said at Senate Estimates on Monday morning. “At the moment, we’re actually going through an internal review of how we can be more aggressive in cyber, and it may mean a mini restructure internally for us to really have what we would call a cyber offensive operation of the AFP, which would actually conduct disruption operations on these individuals,” he said Kershaw said this process has included talking with the Five Eyes alliance about the growth of cyberthreats. Kershaw is currently the chair of Five Eyes’ law enforcement group. Throughout his testimony at Senate Estimates, Kershaw explained that the powers given to the AFP through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which passed earlier this year, would allow its cyber offensive capabilities to increase across various fronts, from countering child abuse, to spam, to terrorism. “So [spam is] something we’re looking forward to using those new powers to, you know, it is my personal pet hate. I get multiple ones a day,” Kershaw said. Through the new laws, the AFP and the Australian Criminal Intelligence Commission (ACIC) will gain the ability to apply for three new warrants to deal with online crime. The first of the warrants is a data disruption one, which gives cops the ability to “disrupt data” by modifying, copying, adding, or deleting it. The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices or networks that are used, or likely to be used, by those subject to the warrant. The last warrant is an account takeover warrant that will allow the agencies to take control of an online account for the purposes of gathering information for an investigation.

“This is the next frontier of crime, and the AFP and our partners will work with governments and global law enforcement networks to ensure the long arm of the AFP reaches criminals no matter where they are in the world,” Kershaw said in his opening statement at Senate Estimates. “Our investigators are already strategising how they will use the new powers in active investigations to identify, target, and disrupt offenders — including those relating to terrorism, large drug importations, and distribution of child abuse material.” The Attorney-General’s department is currently working on authorising the warrants application process, with AFP Deputy Commissioner Ian McCartney saying that this process would be resolved in the coming weeks.  In the AFP’s annual report [PDF] released last week, the law enforcement agency said the past year has seen it expand cyber operational capacity and build technical capabilities as part of an $90 million investment by the Australian Government across four years. This includes the ransomware action plan’s new Orcus taskforce and an AFP-led multi-agency taskforce called Dolos for targeting fraud that used compromised business emails.The AFP added that it carried out 163 disruption activities and charged eight offenders with 21 offences in relation to cybercrime during 2020-21. Related Coverage More

Singtel has sold off its payment card compliance business Trustwave in a deal worth $80 million, as part of efforts to “optimise” the group’s resource allocation and growth focus. The move is part of the Singapore telco’s strategic review of its digital businesses that kicked off in May this year.Parked under its cybersecurity brand Trustwave, SecureTrust was sold off to Sysnet Global Solutions for a cash consideration of $80 million, Singtel said in a statement Monday. It added that some Trustwave assets deemed “complementary” to the telco’s telecommunications and systems integration business in Asia-Pacific would be transferred to Singtel as well as its subsidiaries NCS and Optus. This integration would allow for “closer alignment” with the respective business unit’s core products and services and enable each to focus on core competencies, Singtel said. 

The SecureTrust sale would put Singtel’s cybersecurity revenue in the region at SG$350 million ($259.57 million), the telco said.Singtel Group CEO Yuen Kuan Moon said: “This divestment is the first step following an extensive review of the Trustwave business and serves to sharpen its focus and reposition it for growth. With enterprises pivoting fast to hybrid, multi-cloud environments, the cyber threat landscape has changed considerably and the need for a focused set of services centred on managed threat detection and response has grown.”Trustwave would focus its core offerings on managed detection and response, managed security services, and consulting services, Yuen added.Singtel’s systems integration business NCS in July announced a “strategic reset” to pivot from a traditional ICT company primarily based in Singapore, to become a pan-Asia digital and technology services player. With expansion plans targeted for Australia and Greater China, NCS said it planned to add 2,000 new roles over two years and had earmarked earmarked six key sectors to drive its growth into the enterprise space, including healthcare and financial services.

Singtel, alongside joint bidder, Grab secured one of four digital bank licences in Singapore last December. In their pitch for the licence, the two partners said they would look to target “digital-first” consumers and small and midsize businesses, offering products and services to address the “unmet and underserved” of these market segments. Grab owns a 60% stake in the partnership. Digital bank licensees were expected to begin operations in the country from early-2022. RELATED COVERAGE More

As the world opens up again to travel, so you may want to get a head start and learn a new language or two. But you also need to remember to protect yourself with a maximum-strength VPN, both at home and abroad. Here are 10 great deals on some of the best VPN services on the market:KeepSolid VPN Unlimited: Lifetime SubscriptionDo you want a VPN that has it all? KeepSolid offers unlimited speed and bandwidth on over 400 servers, plus ultimate security that includes military-grade encryption, a kill switch, zero-logging, and more. This one is tough to beat.For a limited time only, get KeepSolid VPN Unlimited: Lifetime Subscription for $39.99 (reg. $199).FastestVPN: Lifetime Subscription (5 Devices)Get a lifetime of ultimate VPN protection for up to five devices. In addition to military-grade encryption, you get a NAT firewall, kill switch, zero logging, anti-malware, ad blocker, and much more.For a limited time only, get FastestVPN: Lifetime Subscription (5 Devices) for $19.99 (reg. $24.99).BulletVPN: Lifetime SubscriptionThis is a VPN bargain for new users with fast servers in 51 countries. According to The VPN Guru:”If you are looking for a reliable, fast, and secure VPN provider, I would definitely recommend BulletVPN.”

For a limited time only, get BulletVPN: Lifetime Subscription for $38.99 (reg. $540).Disconnect VPN Premium: Lifetime Subscription (5 Devices)Get a VPN that keeps you safe without slowing you down. The New York Times says:”We researched and tested four tracker blockers and found their results varied widely. In the end, the app Disconnect became our anti-tracking tool of choice”For a limited time only, get Disconnect VPN Premium: Lifetime Subscription (5 Devices) for $39.99 (reg. $700).SlickVPN: Lifetime SubscriptionIf you’re looking for the best VPN for blazing-fast anonymous torrenting, look no further. It has 125 gateways, all with mega-secure encryption.For a limited time only, get SlickVPN: Lifetime Subscription for $19.99 (reg. $1200).WifiMask VPN Unlimited Devices: 3-Year SubscriptionUsers new to WiFiMask can get a deal on speedy, secure VPN protection on all of their devices. Access 21 servers spread over eight countries.For a limited time only, get WifiMask VPN Unlimited Devices: 3-Year Subscription for $39.99 (reg. $143).Hop VPN: Lifetime SubscriptionHop is offering new users a lifetime of VPN protection from snooping, firewalls, and blocking. Turn your entire home into a VPN server.For a limited time only, get Hop VPN: Lifetime Subscription for $39.99 (reg. $148).BelkaVPN: Lifetime SubscriptionFirst-time Belka subscribers can get a great deal on a lifetime of zero-latency VPN protection. Access to over 120 servers, encryption, no logging, and much more are all included.For a limited time only, get BelkaVPN: Lifetime Subscription for $39.99 (reg. $719).VPN.asia: 10-Year SubscriptionVPN coverage in Asia can be hard to come by. But new users can get VPN protection in Asia at a huge discount for a full 10 years.For a limited time only, get VPN.asia: 10-Year Subscription for $79.99 (reg. $1080).AdGuard VPN: 1-Year SubscriptionNow new users can get convenient VPN protection from AdGuard for up to five devices. In addition to all the usual protection, the service will automatically show you the closest and fastest servers.For a limited time only, get AdGuard VPN: 1-Year Subscription for $$19.99 (reg. $71). More

CISA has announced awards of $2 million to two organizations training underserved communities in cybersecurity. The funding will go to NPower and CyberWarrior, two programs helping to train veterans, military spouses, women and people of color for cybersecurity positions. These are the first awards of their kind handed out by CISA. CISA Director Jen Easterly said addressing the cyber workforce shortage requires the agency to proactively seek out, find and foster prospective talent from nontraditional places. “CISA is dedicated to recruiting and training individuals from all areas and all backgrounds with the aptitude and attitude to succeed in this exciting field,” Easterly said. “It’s not just the right thing to do; it’s the smart thing to do — for the mission and the country. We’re best positioned to solve the cyber challenges facing our nation when we have a diverse range of thought bringing every perspective to the problem.”The organizations are targeting communities with high unemployment as well as those who are underemployed and underserved in both rural and urban areas. CISA explained that they are looking to support programs that benefit communities and populations that may not have access to training programs centered around cybersecurity. CISA, CyberWarrior and NPower will work with them to “develop a scalable and replicable proof of concept to successfully identify and train talented individuals around the country.

They noted that the effort will help address the “staggering” shortage of cybersecurity talent facing the country. “CyberWarrior is honored to take part in the Cybersecurity Workforce Development and Training Pilot for Underserved Communities,” said Reinier Moquete, founder of the CyberWarrior Foundation. “Working with CISA and other stakeholders, our 28-week bootcamp program will train persons from underserved populations for a career in cybersecurity. We encourage prospective students, employers and workforce stakeholders to reach out and join us in building opportunities for these individuals.”According to CISA, the three-year program seeks to establish a cybersecurity pathways retention strategy while also providing entry-level cybersecurity training and hands-on professional development experience through apprenticeships.Bertina Ceccarelli, CEO of NPower, said her organization’s cybersecurity program offer young adults and veterans the opportunity to advance their careers and deepen their specialties. “This is particularly important for individuals coming from underrepresented communities that systemically lack access to those specialized skills,” Ceccarelli said. “We are honored for the support from CISA, which will enable NPower to expand our reach to trainees across the country.”The award is part of a larger effort by CISA and other agencies to diversify the cybersecurity industry. On Friday, Easterly, NSA cybersecurity director Rob Joyce and Institute for Security and Technology CEO Philip Reiner handed their Twitter accounts over to three Black women, who spoke about their experiences in the tech industry while urging other women of color to join in.CISA has also created a CYBER.org initiative and Cyber Education and Training Assistance Program to promote cybersecurity among young people.  More

Cybersecurity researchers at Bitdefender have detailed how cyber criminals have been using FiveSys, a rootkit that somehow made its way through the driver certification process to be digitally signed by Microsoft.  The valid signature enables the rootkit – malicious software that allows cyber criminals to access and control infected computers – to appear valid and bypass operating systems restrictions and gain what researchers describe as “virtually unlimited privileges”. It’s known for cyber criminals to use stolen digital certificates, but in this case, they’ve managed to acquire a valid one. It’s a still a mystery how cyber criminals were able to get hold of a valid certificate. “Chances is that it was submitted for validation and somehow it got through the checks. While the digital signing requirements detect and stop most of the rootkits, they are not foolproof,” Bogdan Botezatu, director of threat research and reporting at Bitdefender told ZDNet. It’s uncertain how FiveSys is actually distributed, but researchers believe that it’s bundled with cracked software downloads. SEE: A winning strategy for cybersecurity (ZDNet special report) Once installed, FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser won’t warn about the unknown identity of the proxy. This also blocks other malware from writing on the drivers, in what’s likely an attempt to stop other cyber criminals from taking advantage of the compromised system. 

Analysis of attacks shows that FiveSys rootkit is being used in cyber attacks targeting online gamers, with the aim of stealing login credentials and the ability to hijack in-game purchases. The popularity of online games means that a lot of money can be involved – not only because banking details are connected to accounts, but also because prestigious virtual items can fetch large sums of money when sold, meaning attackers could exploit access to steal and sell these items. Currently, the attacks are targeting gamers in China – which is where researchers also believe that the attackers are operating from.  The campaign started slowly in late 2020, but massively expanded during the course of summer 2021. The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature. ZDNet contacted Microsoft but hadn’t received a response at the time of publication. While the rootkit is currently being used to steal login credentials from gaming accounts, it’s possible that it could be directed at other targets in future. But by taking some relatively simple cybersecurity precautions, it’s possible to avoid falling victim to this or similar attacks. “In order to stay safe, we recommend that users only download software from the vendor’s website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start,” said Botezatu. MORE ON CYBERSECURITY More

Ferrara Candy — the candy giant behind Nerds, Laffy Taffy, Now and Laters, SweetTarts, Jaw Busters, Nips, Runts and Gobstoppers — announced that it was hit with a ransomware attack just weeks before it prepares for one of its biggest holidays: Halloween.The Illinois-based company told ZDNet in a statement that on October 9, they “disrupted a ransomware attack” that encrypted some of their systems. “Upon discovery, we immediately responded to secure all systems and commence an investigation into the nature and scope of this incident. Ferrara is cooperating with law enforcement, and our technical team is working closely with third-party specialists to restore impacted systems as expeditiously fully and as safely as possible,” Ferrara said in a statement to ZDNet. “We have resumed production in select manufacturing facilities, and we are shipping from all of our distribution centers across the country, near to capacity. We are also now working to process all orders in our queue. We want to assure consumers that Ferrara’s Halloween products are on shelves at retailers across the country ahead of the holiday.”Ferrara did not say if it paid a ransom or what ransomware group attacked their systems.The Chicago Tribune and Crain’s Chicago were the first to report the attack. Danny Lopez, CEO of cybersecurity company Glasswall, said it was likely no coincidence that attackers hit a candy company’s supply chain just before Halloween — knowing full well the urgency and demand at this time of year would have increased the likelihood that they would get the payment desired. 

Cerberus Sentinel vice president Chris Clements added that the situation was more evidence that every company needs to plan for a “worst-case scenario” like a ransomware attack. But even as organizations beef up their defenses, ransomware actors are changing their methods as well. “One such tactic is understanding when is likely to be the victim’s busiest season that can least afford systems downtime and waiting until that has begun to launch their ransomware attack.  After all, a compromised business that doesn’t detect the attacker on day 1 is unlikely to detect the attacker on day 90, especially if the attacker is simply waiting for the opportune time to launch their ransomware,” Clements said. “By doing so, cybercriminals can make any service disruptions and restoration delays maximally painful to their victim to further coerce them to pay the extortion demand rather than attempt to restore systems or data themselves.” More

Microsoft has detailed an unusual phishing campaign aimed at stealing passwords that uses a phishing kit built using pieces of code copied from other hackers’ work.A “phishing kit” is the various software or services designed to facilitate phishing attacks. In this case, the kit has been called ZooToday by Microsoft after some text used by the kit. Microsoft also described it as a ‘Franken-Phish’ because it is made up of different elements, some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.

ZDNet Recommends

Microsoft said TodayZoo is using the WorkMail domain AwsApps[.]com to pump out email with links to phishing pages mimicking the Microsoft 365 login page.SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacksMicrosoft says the attackers have been creating malicious AWS WorkMail accounts “at scale” but are just using randomly generated domain names instead of names that would represent a legitimate company. In other words, it’s a crude phishing product likely made on a thin budget, but large enough to be noticeable. It caught Microsoft’s attention because it impersonated Microsoft’s brand and used a technique called “zero-point font obfuscation” – HTML text with a zero font size in an email – to dodge human detection. Microsoft detected an uptick in zero-font attacks in July.  TodayZoo campaigns in April and May of this year typically impersonated Microsoft 365 login pages and a password-reset request. However. Microsoft found that campaigns in August used Xerox-branded fax and scanner notifications to dupe workers into giving up credentials. 

Microsoft’s threat researchers have found that most of the phishing landing pages were hosted within cloud provider DigitalOcean. Those pages were identical to the Microsoft 365 signin page.Another unusual trait was that after harvesting credentials, the stolen information was not forwarded to other email accounts but stored on the site itself. This behaviour was a trait of the TodayZoo phishing kit, which has previously focussed on phishing credentials from Zoom video-meeting accounts.SEE: These stealthy hackers avoid Windows but target Linux as they look to steal phone dataBut Microsoft researchers believe this phishing group is a single operation rather than a network of agents. “While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own,” Microsoft said. Microsoft says it informed Amazon about the TodayZoo phishing campaign and that AWS “promptly took action”.  More