Information Technology

A former sales representative of a mobile carrier has been sentenced after accepting bribes to perform SIM-swapping attacks. 

This week, the US Department of Justice (DoJ) said that Stephen Defiore, a Florida resident, accepted “multiple bribes” of up to $500 per day to perform the switches required to reroute phone numbers in SIM-swapping. SIM-swapping is quickly becoming a serious issue for telecommunications firms — made worse when employees, who have access to internal systems — are involved.  These attacks require either internal help or the use of social engineering to convince a carrier to reroute calls and text messages from one handset to another. SIM-swapping is often performed to circumvent security controls including two-factor authentication (2FA) and to compromise accounts for services including banking and cryptocurrency wallets.  The victims may only have a small window of time to rectify the situation once they realize that phone calls and messages are not being received — but by the time they reach their service provider, attackers may have already secured the second-level security codes required to hijack other accounts.  Rather than go through the effort of obtaining enough information on a target to successfully manage to pretend to be the victim on a phone call, some attackers try to recruit insider help.  In this case, between 2017 and 2018, Defiore was a sales representative for an unnamed carrier. 

The 36-year-old accepted bribes of roughly $500 to perform SIM-swapping on behalf of someone else. For each case, he would be sent a phone number, a four-digit PIN, and a SIM card number to be swapped with the victim’s handset details.  At least 19 customers were targeted and prosecutors estimate that the employee received $2,325 in bribes.  Following his arrest, Defiore pleaded guilty to one count of conspiracy to commit wire fraud.  US Attorney Duane Evans said that Defiore was sentenced on October 19 and will serve three months probation, a year of home confinement, and must perform 100 hours of community service.  The SIM-swapper must also pay a $100 fee and $77,417.50 in restitution.  Last year, Europol took down a massive SIM-swapping ring responsible for the theft of millions of euros. Operations Quinientos Dusim and Smart Cash combined law enforcement from multiple countries in the region, leading to multiple arrests.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

South African police have arrested eight suspects in connection to romance scams that defrauded at least 100 women.

The gang used “sob stories” as a lure to push women — including widows and divorcees — to give them money, as reported by the BBC. Law enforcement agencies, including the FBI, the Secret Service, and Europol, estimate that over the course of the scam, victims suffered close to $7 million in losses.  According to Cape Town police, the suspects were arrested in an organized raid at multiple locations in the early morning of October 19. Ranging in age from 33 to 52 years old, the suspects are allegedly tied to a wider transnational organized crime syndicate in Nigeria known as the “Black Axe”.  TimesLive reports that Black Axe has been operating romance scams since 2011. “It is alleged that these suspects, allegedly preyed on victims, many of whom are vulnerable widows or divorcees who were led to believe that they were in a genuine romantic relationship but were scammed out of their hard-earned money,” local police claim. “The suspects used social media websites, online dating websites to find and connect with their victims.” The sob stories employed by the suspects included a multitude of reasons as to why they needed cash, and quickly. The lines fed to their victims related to taxes that needed to be paid before inheritances were secured; travel overseas for emergencies, and pleas to help them get out of “crippling debt.”

In some cases, payments of 100 million rand (ZAR), roughly $6,800, were made.  The gang not only trolled dating apps and websites in the hunt for victims — they were also allegedly part of Business Email Compromise (BEC) schemes in which email accounts were compromised. When businesses attempted to make payments, the bank details they used were covertly changed to those controlled by the cybercriminals.  Many of the alleged victims are located in the United States, however, South African law enforcement says that the organization also hit those close by — including “neighbors, parents, friends, and family.” US prosecutors have applied to have the suspects extradited. The suspects face charges of aggravated identity theft, money laundering, and conspiracy to commit wire & mail fraud.  “The fraudsters intimidated and berated their victims, ruined their lives, and then disappeared,” the South African police service said in a statement. “We are confident that this investigation will have a significant impact on this region and beyond.” The FBI estimates that $133 million has been lost in romance scams over the course of 2021.  In September, the US Department of Justice (DoJ) convicted a former US Army reservist for operating romance and BEC scams. Together with a co-defendant, the scam artist raked in approximately $1.8 million. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has rolled out a public preview of E2EE for one-to-one Teams calls, bringing its enterprise platform up to par with Facebook’s consumer apps, WhatsApp and Messenger. Microsoft announced the encryption feature was in the works in March at Ignite Spring 2021. E2EE means that neither Microsoft, nor anyone else can access the decrypted contents of a one-to-one call. Facebook in August rolled out E2EE for audio and video calls on its Messenger app.    

Enabling E2EE for Teams calls requires work from both end users and IT admins, whom need to enable it for their users. SEE: When the return to the office happens, don’t leave remote workers out in the coldE2EE works by encrypting information from one point to an intended destination and prevents anyone else from decrypting the transmission. Microsoft notes in a blogpost that real-time video and voice data is protected by E2EE and that both parties need to enable the setting. It doesn’t cover things like chat or file-sharing, which are protected at rest and in-transit by other encryption protocols like HTTPS for secure connections between a device and a website.To allow this feature, admins need to enable Enhanced Encryption policies for Teams users. Admins can enable it across the entire organization or set custom policies that assign the capability to select users. 

Assuming an admin has permitted E2EE via a policy, end users can enable it for a call by going to their avatar and navigating to the Privacy section within Settings. There’s a toggle next to “End-to-end encrypted calls” that can be switched on. When both parties have enabled E2EE, there’s an indicator in the top left of the video indicating it is enabled for that call. Both parties should see that indicator – a shield with a lock. If E2EE isn’t turned on, the indicator is a regular shield icon without the lock. If it is enabled, there’s a 20-digit security code under the indicator that should be the same for both parties. Two parties on a call can validate the 20-digit security codes by reading them to each other to see if they match. If they don’t match, the connection has been intercepted by a man-in-the-middle attack and the call can be terminated.SEE: Video meeting overload is real. Here’s how you can to stop the stress building upTeams calls E2EE is supported on the Teams desktop client for Windows and Mac as well as the latest versions of Teams on iOS and Android. It’s not supported on Teams calls on PSTN. Features that aren’t supported when E2EE is enabled include all the cloud and AI tools Microsoft brings to Teams, such as call recording, as well as live caption and transcription. As for E2EE on group audio and video calls, Microsoft isn’t committing to to anything on that front, but says it is working to “bring end-to-end encryption capabilities to online meetings later.”   More

Ransomware is a major cybersecurity threat to organisations around the world, but it’s possible to reduce the impact of an attack if you have a thorough understanding of your own network and the correct protections are in place. While the best form of defence is to stop ransomware infiltrating the network in the first place, thinking about how the network is put together can help slow down or stop the spread of an attack, even if the intruders have successfully breached the perimeter. 

ZDNet Recommends

One of the best ways to do this is to segment the network, so different parts of the organisation are separated from one another. That means if cyber criminals do get into the network, it’s much harder for them to move about and compromise other systems.SEE: A winning strategy for cybersecurity (ZDNet special report) “You want to make it difficult to cross certain boundaries, so you can lessen the impact of malware or ransomware,” Ed Williams, director of SpiderLabs EMEA at Trustwave, told ZDNet Security Update. “If you can do that and just one business unit gets compromised, then that is much easier to isolate to determine what’s going on, contain it and then bring services back online. [If] it’s an entire organisation, then it gets really difficult.” One of the first things cyber criminals distributing ransomware will do after entering a network – which is often achieved with phishing attacks or exploiting unpatched vulnerabilities – is finding out what the network looks like in order to determine the best way to move around it and eventually execute the ransomware attack. 

It can be difficult for IT departments to audit the entire network to discover everything that’s on it, but if they can do this, they can examine the network and use this knowledge to identify potential vulnerabilities and take the necessary action to prevent attacks. “The first thing that I always recommend all organisations do, regardless of size, is have a really good understanding of what assets they’ve got. The reason why that is, if you don’t know what assets you’ve got, you can’t secure them,” said Williams. SEE: Ransomware attackers targeted this company. Then defenders discovered something curious”Once you’ve got a good understanding of what your assets look like, you can build in layers then, so you can do good vulnerability management to make sure that there’s no exploits available for your kit that’s out there – and making sure you’re doing this regularly because exploits come out quickly and can get weaponised quickly,” he added. The best way to prevent vulnerabilities being exploited is to apply security updates as soon as possible. Ensuring that default or easy-to-guess passwords aren’t used on the network and two-factor authentication is applied to all users can also help to prevent networks falling victim to ransomware and other malware attacks. MORE ON CYBERSECURITY More

My Health Record system’s physical and information security measures used to access the My Health Record system for pathology and diagnostic imaging services did not meet the ADHA’s recommended standard for passwords, according to assessments made by the Office of the Australian Information Commissioner’s (OAIC). “In relation to physical and information security measures, while most assessment targets reported good physical security measures, most did not meet the ADHA’s recommended standard for passwords used to access the My Health Record system,” the OAIC said.Detailed in the OAIC’s annual digital health report [PDF], the agency did note, however, that most of My Health Record’s assessment targets reported having a procedure in place for identifying and responding to My Health Record-related security and privacy risks even though there were areas for improvement in relation to recording matters relevant to security breaches.During the 2020-21 financial year, three data breach notifications were submitted to the OAIC in relation to My Health Record. Two of the three have been finalised.In the agency’s annual report, which was also released this week, it said 975 data breaches were reported in Australia during the 2020-21 financial year. This was 7% less compared to the previous financial year, with the OAIC saying that 80% of the data breaches reported under its Notifiable Data Breaches (NDB) scheme were finalised within 60 days.The average time taken to finalise a data breach notification was 62 days, down from 76 days in 2019–20, according to the annual report [PDF]. Two months ago, the agency revealed that malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 289 breaches, followed by human error which accounted for 134 notifications. “As the [NDB] matures, we see clear trends: Malicious or criminal attacks are the leading source of data breaches, followed by human error,” the OAIC reiterated in the annual report.

During the financial year, the OAIC also received 2,474 privacy complaints, which was similarly 7% less than the 2019-20 financial year. 2,151 of these privacy complaints have been finalised and were done so, on average, in 4.4 months. The finance sector submitted the most privacy complaints this past year, with 327. This was followed by the Australian government with 310, health service providers with 301, while retail and online services rounded out the top five sectors by submitting 177 and 152 privacy complaints, respectively. According to the OAIC, the majority of privacy complaints received by the OAIC were about the handling of personal information under the Australian Privacy Principles (APP). The most common issues raised were regarding use or disclosure of personal information, accounting for 29%, security of personal information with 28%, while 18% of complaints were about access to personal information. The agency also handled 11,647 privacy enquiries and 1,824 freedom of information (FOI) enquiries in 2020-21. While this was 20% less for both types of enquiries compared to the previous year, the agency received almost 40% more FOI complaints, with organisations submitting 151 FOI complaints. The OAIC added that it finalised 174 FOI complaints, with some of that figure being complaints raised from the 2019-20 financial year. It also received 1,224 applications for Information Commissioner (IC) reviews of FOI decisions. It said almost three-quarters of the IC reviews were completed within 12 months, which was around the same rate as last year. The Department of Home Affairs underwent the most IC reviews, being involved in 436. This was more than the combined total of 253 from the next four agencies, which were Services Australia, Australian Federal Police, Department of Health, and the Department of Foreign Affairs and Trade. In 2020–21, the OAIC also issued 17 determinations in relation to complaints alleging breaches of the APP. This was the most determinations the OAIC has made in a year, it said. Among them was a finding last week that 7-Eleven collected customers’ biometric data without consent and Home Affairs “mistakenly” releasing the personal information of 9,251 asylum seekers. As of 30 June 2021, the OAIC has just over 120 full-time staff.  Beyond its staff, the OAIC spent over AU$970,000 on consultancy contracts and around AU$455,000 on non-consultancy contracts. Of those contracts, PricewaterhouseCoopers was paid over AU$660,000 and Cypha Interactive was paid AU$200,000. Related Coverage More

Google issued its Content Removal Transparency Report for the first half of 2021, and warned it has continued to see a rising trend in requests from governments, as they pass new laws to allow content to be removed. “These laws vary by country and region, and require the removal of content on a very wide range of issues — from hate speech to adult content and obscenity, to medical misinformation, to privacy and intellectual property violations,” Google vice president of trust and safety David Graff wrote. “While content removal and local representative laws are often associated with repressive regimes, they are increasingly not limited to such nations.” Leading the way on the number of requests was Russia, India, South Korea, and Turkey, with Pakistan, Brazil, the US, Australia, Vietnam, and Indonesia closing out the top ten. In terms of volume of items asked to be removed, Indonesia led the way thanks to a single request to have over 500,000 URLs removed in the archipelago for violating gambling laws. Google said it removed over 20,000 URLs and was reviewing the remainder. Russia picked up the number two slot, followed by Kazakhstan, Pakistan, South Korea, India, Vietnam, the US, Turkey, and Brazil. In the United States with 404 requests, 45% of requests were related to defamation mainly in search results, followed by trademark-related requests most commonly on YouTube, and privacy and security reasons.

For Australia with a new high of 392 requests, the standout reason was bullying and harassment which made up 80% of requests. Of those 315 requests, 261 were related to Gmail. Defamation led the way in India’s 1,332 requests relating to 28% of government requests, followed by impersonation on 26% which referred mainly to Google Play Apps pages. “We received a request from the Ministry of Electronics and Information Technology, India, the designated authority under Section 69A of the Information Technology Act, 2000, regarding content on Google Play,” the search giant said. “Due to confidentiality restrictions mandated by Section 69A, we are unable to provide any details about the content at issue or the action(s) taken by Google.” During the year to the end of June, Google said it received a request in South Korea to delist around 5,000 URLs relating to “non-consensual explicit imagery of digital sex-crime victims” on its search results, and it removed over 3,000 URLs. South Korea’s 991 requests dealt with privacy or security 80% of the time. Related Coverage More

Cybersecurity experts have told Reuters that law enforcement officials from multiple countries were involved in the disruption of the REvil ransomware gang, which went dark for the second time on Sunday.Rumors and questions about the group’s most recent disappearance dominated conversation this week after Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group’s Tor payment portal and data leak website.In the messages, 0_neday explains that he and “Unknown” — a leading representative of the group — were the only two members of the gang who had REvil’s domain keys. “Unknown” disappeared in July, leaving the other members of the group to assume he died. The group resumed operations in September, but this weekend, 0_neday wrote that the REvil domain had been accessed using the keys of “Unknown.” In another message, 0_neday said, “The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others — this was not. Good luck, everyone; I’m off.”Now Reuters has confirmed that law enforcement officials from the US and other countries, alongside a number of cybersecurity experts, were behind the actions 0_neday described on Sunday. VMWare head of cybersecurity strategy Tom Kellerman and other sources told Reuters that the governments hacked REvil’s infrastructure and forced it offline. 

The FBI and White House did not respond to requests for comment. Jake Williams, CTO of BreachQuest, told ZDNet that REvil being compromised has been talked about in closed CTI groups since at least October 17. “It was known no later than the 17th that core group members behind REvil were almost certainly compromised. By standing up the Tor hidden services, someone demonstrated they had the private keys required to do so. This was effectively the end of REvil, which was already having trouble attracting affiliates after its infrastructure went offline in July following the Kaseya attack,” Williams said. “To attract affiliates, REvil had been offering up to 90% profit shares, but were still finding few takers. After the Tor hidden service was turned on, demonstrating possession of the private keys, it was obvious that the group had been breached and they would be unable to attract new affiliates for operations. A big open question in my mind is whether re-enabling the Tor hidden services was a counterintelligence mistake by law enforcement or was an intentional act to send a message. There are certainly arguments for either case.”The FBI has faced backlash in recent weeks because they recently revealed that they managed to obtain a universal decryption key for the hundreds of victims affected by the ransomware attack on Kaseya.But FBI officials told Congress that they held off providing the keys to victims for weeks because they were planning a multi-country effort to take down REvil’s infrastructure. REvil ended up closing shop before the operation could be undertaken, and the FBI eventually handed out the keys to victims and helped a company create a universal decryptor. Reuters reported that when the group resurfaced in September, they actually restarted the servers that had been taken over by law enforcement officials. This led to the most recent law enforcement action, according to Reuters, which added that the operation is still ongoing. Williams noted that it appears likely that at least some arrests were involved, pointing back to the original messages from 0_neday.”The launch of the hidden service indicates someone else possesses the private keys for their hidden services. While the keys could potentially have been acquired purely through hacking back, it’s hard to imagine that’s the case given Unknown’s disappearance as well. The obvious conclusion is that it’s likely Unknown (or a close coconspirator) was arrested, though the arrest may have been enabled via hacking back operations,” Williams said. For those hit with ransomware after the group’s return, Williams said it was unlikely that the government had decryption keys or that the remaining gang members would release them.”After the July disruptions, it’s believed that REvil reset the campaign keys used by each affiliate. Core REvil user 0_neday announced that campaign keys would be given to REvil affiliates so they could continue negotiating with their victims. It seems unlikely at this point that the US government has a master key for REvil,” Williams explained. “After the backlash over not releasing the campaign key used in the Kaseya attack, it’s hard to believe the government would risk more negative publicity. Individual affiliates may release their campaign keys, but it seems doubtful at this time that the core REvil group will.”Williams added that REvil affiliates regularly used double extortion — the exfiltration of data from victim networks with the threat of release — to compel payment. He noted that typically, these affiliates stay in line and don’t release data because doing so would remove them from future work with the core group. But now that work from REvil will be drying up, affiliates will need new sources of revenue. “It won’t be surprising to see stolen sold on the dark web. I anticipate that some organizations who believed their data was safe because they paid an REvil ransom are in for a rude awakening,” Williams told ZDNet.  More

Republican leaders in the US Senate have come out harshly against new cybersecurity regulations designed to protect US railroad and airport systems. The new rules were handed down earlier this month by Homeland Security Secretary Alejandro Mayorkas and will be managed by the Transportation Security Administration (TSA). The regulations were prompted in part by an April attack on New York City’s Metropolitan Transportation Authority — one of the largest transportation systems in the world — and a 2020 attack on the Southeastern Pennsylvania Transportation Authority. But in a letter to David Pekoske, administrator of the Transportation Security Administration, five senior US Senators criticized the new rules and how they were rolled out.Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all part of the Committee on Commerce, Science and Transportation — slammed the use of emergency authority to push the rules out, questioning whether they were “appropriate absent an immediate threat.”The senators urged Pekoske to “reconsider” the rules, arguing that “the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency.”The letter says the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.”The Republican leaders argued that the country is not in an emergency situation because it has been five months since the ransomware attack that shut down Colonial Pipeline and left significant parts of the East Coast in a week-long scramble for gasoline. 

They added that the TSA erred in forcing the rules onto the industry and not adopting “a more collaborative approach” with industry experts before issuing them. “Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.”The senators additionally claimed that current practices are “working well.”Chinese state-backed hackers were implicated in the April attack on New York City’s Metropolitan Transportation Authority, which alarmed city officials and federal authorities. The attackers did not get far enough into the system to cause damage but easily could have, effectively pulling out on their own accord, according to sources who spoke to The New York Times at the time. City officials are still concerned that the hackers may have left any number of backdoors in the system that would allow them to regain entry easily. Those backing the TSA regulations also noted a ransomware attack on ferry services to Cape Cod earlier this year.Responses to the letter ranged from those who tacitly agreed that the new rules were pushed out in a heavy-handed way to others who thought the country’s cybersecurity protections for critical industries continue to be dangerously lax. US Rep. Jim Langevin — co-founder of the Congressional Cybersecurity Caucus and a commissioner of Congress’ Cyberspace Solarium Commission — slammed the letter, taking particular issue with the idea that the country’s repeated cybersecurity failings are not an immediate threat.”My Republican colleagues need to get their heads out of the sand if they think ransomware and other cyber intrusions do not represent an ‘immediate threat,'” Langevin told ZDNet. “These new TSA regulations will require rail and airport operators to create incident response plans, which they already should be doing. The American people rely on these operators, so CISA needs to know when they’ve been hit by a cyber incident. These are the bare minimum regulations and are long overdue.”Industry experts like BreachQuest CTO Jake Williams noted that every cybersecurity regulation carries with it the possibility of creating operational issues, particularly when drafted by those without experience in the operational domain. “We don’t know what the guidance will dictate yet, so it’s hard to critique the guidance itself. However, the specific criticism levied by Sen Wicker and others is very valid,” Williams said. “The TSA is using emergency measures to enact new regulations while bypassing the normal feedback process. It is reasonably likely that without the feedback process in use that TSA will inadvertently introduce operational issues with their new regulations.” More