Information Technology

A stealthy hacking group is infiltrating telecommunications companies around the world in a campaign which researchers have linked to intelligence gathering and cyber espionage. The campaign, which has been active since at least 2016, has been detailed by cybersecurity researchers at CrowdStrike, who’ve attributed the activity to a group they call LightBasin – also known as UNC1945.  It’s believed that since 2019, the offensive hacking group has compromised at least 13 telecommunication companies with the aim of stealing specific information about mobile communications infrastructure, including subscriber information and call metadata – and in some cases, direct information about what data smartphone users are sending and receiving via their device. “The nature of the data targeted by the LightBasin aligns with information likely to be of significant interest to signals intelligence organisations. Their key motives are likely a combination of surveillance, intelligence, and counterintelligence collection,” Adam Meyers, SVP of Intelligence at CrowdStrike told ZDNet. “There is significant intelligence value to any state-sponsored adversary that’s likely contained within telecommunications companies,” he added. The exact origins of LightBasin aren’t disclosed, but researchers suggest that the author of tools used in attacks has knowledge of the Chinese language – although they don’t go as far to suggest a direct link with China or any other Chinese-speaking countries. The attackers employ extensive operational security measures in an effort to avoid detection and will only compromise Windows systems on target networks if absolutely necessary. LightBasin’s primary focus is on Linux and Solaris servers which are critical for running telecommunications infrastructure – and are likely to have less security measures in place than Windows systems. 

SEE: A winning strategy for cybersecurity (ZDNet special report) Initial access to networks is gained via external DNS (eDNS) servers, which are part of the General Packet Radio Service (GPRS) network which connects different phone operators. Researchers discovered that LightBasin accessed one victim from a previously compromised victim. It’s likely that initial access to original victims is gained by exploiting weak passwords via the use of brute force attacks. Once inside the network and calling back to a command and control server run by the attackers, LightBasin is able drop TinyShell, an open-source Unix backdoor used by many cyber criminal groups. By combining this with emulation software, the attacker is able to tunnel traffic from the telecommunications network. Other tools deployed in campaigns include CordScan, a network scanner which enables the retrieval of data when dealing with communications protocols.  LightBasin has the ability to do this with many different telecommunications architectures, indicating what researchers describe as “robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments” and something “consistent with a signals intelligence organization” – or in other words, an espionage campaign. However, despite their best efforts to remain hidden, there are some elements of the campaigns which means they can be discovered and identified, such as not encrypting binaries while using SteelCorgi, a known ATP espionage tool.  There’s also evidence of the same tools and techniques being used in the networks of compromised telecommunications providers, pointing towards a singular entity behind the whole campaign. It’s believed that LightBasin is still actively targeting telecommunications providers around the world. “Given LightBasin’s usage of bespoke tools and in-depth knowledge of telecommunications network architectures, we’ve seen enough to realize the threat LightBasin poses is not localized and could affect organizations outside of the ones we work with,” said Meyers. “The potential payoff to these threat actors in terms of intelligence gathering and surveillance is just too big for them to walk away from,” he added. To protect networks from this and other cyber attacks, it’s recommended that telecommunications companies ensure that the firewalls responsible for GPRS network to have rules applied which mean networks can only be accessed via expected protocols.  “Securing a telecommunications organization is by no means a simple task, especially with the partner-heavy nature of such networks and the focus on high-availability systems; however, with the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance,” the CrowdStrike blog post said. MORE ON CYBERSECURITY  More

Researchers have uncovered a lively trade online in the sale of fake vaccination records and passports. 

COVID-19 prompted panic buying and price hikes for basic necessities worldwide when the pandemic first hit. However, once vaccines were developed, a market was born out of consumers who wanted their shots as quickly as possible. Not everyone wants a vaccination, however, and with international restrictions imposed for non-vaccinated travelers, some are looking for alternatives — including fake records. According to research conducted by Intel 471, the vaccine trade is still strong, but numerous cybercriminals are now also offering fake COVID-19 vaccine certifications focused on US and EU entry requirements. The US Centers for Disease Control and Prevention (CDC) vaccination cards are issued by vaccine providers in a paper format. The EU also offers a vaccine passport, the EU Digital COVID Certificate, which is issued to European residents in a paper and digital form.  Underground forum posts advertise their fake certificate wares together with coronavirus claims and misinformation, such as that the “minority ruling is trying to destroy mankind” and the vaccines are “poisonous.” “We do this to help people who are in critical situations and want to travel urgently,” one advert read. 

On one forum, a trader is offering counterfeit CDC cards, whereas, on another, EU and specifically French documents containing QR codes are being displayed.  The QR codes on legitimate vaccine passports are designed to pull vaccination records from healthcare providers. However, these codes may go to fraudulent websites containing fake records.
Intel 471
Intel 471 also found a variety of vaccines on the market, claiming to be sourced from manufacturers producing AstraZeneca, Johnson & Johnson, Moderna, Pfizer, and Sputnik V. However, the e-commerce domains are currently offline. The researchers say that after tracking vaccine traders, the sellers appear to be keeping a close eye on the news and will market their wares accordingly — such as to appeal to customers in countries with limited or no vaccine supplies on hand.  “Be it underground vaccine sales or counterfeit vaccine passes, actors are monetizing the fear and misinformation around COVID-19, creating a new market that has been constructed partly by pushing people who have never purchased anything illicit to buy things off of the underground,” the firm commented. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over 25% of malicious JavaScript code is obfuscated by so-called ‘packers’, a software packaging method that has given attackers a way of evading signature-based detection, according to security and content delivery network provider Akamai.  Packers work by compressing or encrypting code to make that code unreadable and non-debuggable — resulting in ‘obfuscated’ code that is difficult for antivirus to detect. 

ZDNet Recommends

JavaScript packers aren’t a new threat. As Secureworks noted as far back as 2008, JavaScript packers became a popular alternative to JavaScript libraries because they were good at reducing the number of bytes downloaded on each page in order to support richer web applications of the time.  SEE: This new ransomware encrypts your data and makes some nasty threats, too “Computer hackers have taken advantage of the acceptance of these packers as suboptimal network optimization tactics and are using them as a way to evade and bypass security controls on the gateway and at the host,” SecureWorks noted then.  Akamai notes that some of the world’s most popular websites contain obfuscated JavaScript for business reasons.  The company highlights that packers are still a large scale problem, aiding the spread of phishing pages, malware droppers and scams like the Magecart attacks on online payment systems. At the SecTor 2021 conference in November researchers will present a new “technique that profiles the unique functionality of packers to detect JavaScript prior to it being obfuscated, regardless of the original code.”

Instead of a signature or hash, the JavaScript code is detected by the techniques the packer introduces, according to Akamai.  To show how it’s profiling packers, Akamai looked at four pieces of JavaScript code from four unrelated malicious files. Two of the snippets were for phishing, one was a malware dropper, and the fourth a Magecart scammer.  SEE: This is how Formula 1 teams fight off cyberattacks “These four examples are the output of the same unique packer functionality being used to obfuscate any given JavaScript code,” Akamai explains.  “By profiling packers and their functionality, we evaluated 30,000 benign and malicious JavaScript files and were able to see that at least 25% of the malicious files used one of five profiled packer functionalities.” The research also found that 0.5% of benign files from the top 20,000 top-ranked websites on Alexa.com used packer obfuscation techniques. Akamai argues then that obfuscation isn’t a strong enough signal for malicious code and suggests detection will require machine learning to differentiate between malicious and benign obfuscated JavaScript code.  More

Increasing adoption of hybrid work practices has pushed the need to enable and secure remote workers as a top challenge for IT managers. Security threats also have evolved amidst this emerging workplace, with supply chain attacks hogging recent headlines, but 53% of IT administrators believe their use of “known, trusted software” will help keep their organisation safe from such threats. Asked about challenges they faced in the past year with increased adoption of remote work, 57.2% of IT managers pointed to enabling or instructing employees about working remotely, while 49.6% cited the need to secure these workers. Another 44.5% highlighted the need to ensure availability of business applications and networks, according to a study conducted by data security vendor Acronis. The survey polled 3,600 IT managers and remote workers in 18 markets, including Singapore, Australia, India, Japan, Germany, the US, and the UK. Respondents from each country comprised 100 IT managers and 100 remote workers. The study was conducted over two months through to October 2021. 

Some 28.6% said their organisation was targeted by cyber attackers at least once a month, while 21.4% saw weekly attacks and 20.6% reported at least one attack a day. About 20.1% believed they were never targeted in a cyber attack, compared to 9.3% who said their organisation was targeted every hour, the study revealed. Phishing attempts were the most common, with 57.9% of iT managers noting their organisation encountered such attacks in the past year, followed by 39.8% and 36.5% who cited DDoS (Distributed Denial of Service) and malware attacks, respectively. In particular, 74% and 50% of Singapore IT managers cited phishing and malware as the most common attacks, respectively–with both figures higher than the global average. The need to deal with cyber threats pushed stronger priority for antivirus and antimalware tools, with 73.3% of IT managers worldwide citing these as important business security tools, compared to just 43% in last year’s report. Another 47.9% highlighted the need for integrated backup and disaster recovery, while 45.3% pointed to vulnerability assessments and patch management. Another 35.7% prioritised remote monitoring and management and 20.4% cited URL filtering tools.

With news of third-party supply chain attacks including Kaseya and SolarWinds consuming headlines in the past year, 53% of IT managers believed their use of “only known, trusted software” would safeguard their organisation against such attacks. Some 23.8% said they turned to antivirus and endpoint detection and response tools, while 17.8% engaged an external provider to protect the organisation against supply chain attacks. Asked about two-factor authentication (2FA), just 21.6% said they used it for all accounts, while 37.7% said they did likewise for some accounts. Another 30.6% said they tapped 2FA for most accounts, while 10.1% did not use it at all. Amongst employees, 36.5% cited the use of VPN and other security measures as the most technically challenging aspect of working remotely, according to the Acronis study. Wi-Fi connectivity, though, was the most cited technical challenge at 43.9% of respondents, while 27% pointed to the lack of IT support. Some 25.3% of remote employees admitted not using any 2FA, while 38.3% did so for some accounts. Another 21% tapped 2FA for most accounts and 15.4% did likewise for all accounts. Acronis’ vice president of cyber protection research Candid Wuest said: “The cybercrime industry proved to be a well-oiled machine this year, relying on proven attack techniques, like phishing, malware, DDoS, and others. Threat actors are increasingly expanding their targets, while organisations are held back by the growing complexity of IT infrastructure.”Only a small number of companies have taken the time to modernise their IT stack with integrated data protection and cybersecurity. The threat landscape will continue to grow and automation is the only path to greater security, lower costs, improved efficiency, and reduced risks,” Wuest said.RELATED COVERAGE More

Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it’s possible to find a potential way into thousands of targets at once.Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. In one of the biggest cybersecurity incidents in recent years, cyber attackers working for the Russian foreign intelligence service compromised updates from IT services provider SolarWinds that were downloaded by 18,000 customers, with the attackers then going on to target around 100 of those customers including several US government agencies.

ZDNet Recommends

Other cyber criminals were able to carry out a supply chain attack using a vulnerability in software from Kaseya to launch a ransomware attack that affected thousands of its customers around the world. SEE: A winning strategy for cybersecurity (ZDNet special report)”The issue of the threat to IT service providers as part of a supply chain was clearly one of the features of the last year,” said Simon Mehdian-Staffell, UK government affairs manager at Microsoft, speaking during a Chatham House Cyber 2021 Conference discussion on the rise of state-backed cyberattacks.Some of these attacks have been identified because they’ve been on such a large scale, like the ones above. But there are means of supply chain compromise that are far less likely to draw attention, but can be very effective. And a more tightly focused campaign might be harder to detect.  “Clearly there’s trade-offs to be made between where they cast their net and the potential increased likelihood of being detected, so operators are having to make those trade-offs,” said Jamie Collier, cyber threat intelligence consultant at Mandiant, also speaking during the Chatham House panel. 

While big attacks get the attention, the past few years have seen “other vectors of supply chain compromise that are dominating the numbers that maybe don’t get the attention they deserve”, he added. These lower-scale, less obvious supply chain attacks can be just as effective for cyber attackers, providing discreet pathways into networks. In particular, developer or mobile environments can provide this gateway – and cyber attackers have noticed.  “First of all would be developer environments, we see a huge amount of supply chain compromise around there. And the second would be mobile.” said Collier. “So, while we want to focus on the likes of SolarWinds, there is a wider landscape out there and it’s important we recognise that broader spectrum,” he added. Given the success of major supply chain attacks thus far, they’ll remain a cybersecurity threat for the foreseeable future. 

“Supply chain attacks continue to be an attractive vector at the hand of sophisticated actors and the threat from these attacks is likely to grow. Especially as we anticipate technology supply chains will become increasingly complicated in the coming years,” Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), said in a keynote address to the Cyber 2021 Conference. SEE: A company spotted a security breach. Then investigators found this new mysterious malwareThe threat of supply chain attacks means that organisations should examine what they can do to make themselves more resilient to cyberattacks. They should also examine how to protect themselves in the event of one of their suppliers unknowingly falling victim to a malicious cyber campaign. “First, organisations need to establish a clear security direction with their suppliers, asking for and incentivising good security through the supply chain. This is often relatively straightforward security practices, such as controlling how privileged access is managed,” said Cameron. “Second, organisations should take an approach where their design is resilient if a technology supplier is compromised. The SolarWinds incident is a good example. To be blunt, if your SolarWinds installation couldn’t talk directly to the internet – which it shouldn’t have been able to do – then the whole attack was irrelevant to your network,” she added. Organisations and their information security teams can go a long way to helping to protect the network from attacks by knowing exactly what’s on it and what is connected to the internet. By ensuring infrastructure that doesn’t need to be connected directly to the internet isn’t directly connected, you can provide a major barrier to attacks being successful.  MORE ON CYBERSECURITY More

Image: Cisco
51% of Asia Pacific small to medium-sized businesses that were hit with a cyber incident in the past year saw the cost of that incident exceed $500,000, according to a survey conducted by Cisco. Sampling 3,750 businesses employing between 10 and 999 employees in 14 countries around the region, Cisco said 83% reported an incident in excess of $100,000, and 13% had an incident cost more than $1 million. The survey was conducted between April and July. In Australia, where 306 qualifying businesses responded, the numbers were more stark, with 64% reporting an incident costing over $500,000, and 33% saying they were hit more than $1 million in cost. For businesses that ran simulation exercises, Cisco said 85% of respondents found issues in their defences. “Of those that identified weaknesses, 95% said the exercises revealed issues with not having the right technology solutions in place to detect a cyber attack or threat. The same number found they had too many technologies and struggled to integrate them together, while 96% discovered they did not have the right technology solutions to block an attack,” the company said. The main vector that attacked the sampled businesses was malware, which was used 85% of the time and led to 75% of attacks getting customer information, 62% finding internal emails, and 61% of attacks hitting employee data, intellectual property, or financial data. In its 2020-21 annual report released earlier this week, the Australian Signals Directorate (ASD) said it has seen a 15% increase in ransomware attacks over the past year.

“ASD responded to more than 1,630 cybersecurity incidents during 2020–21. Compared to the previous financial year, the total number of cybersecurity incidents in the 2020-21 financial year decreased by 28%,” it said. “A higher proportion of cybersecurity incidents this financial year were categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increase in attacks by cybercriminals on larger organisations and the impact of these attacks on the victims. The attacks included data theft, extortion, and/or rendering services offline.” Thanks to the pandemic, ASD said it has shifted more of its workforce to flexible and home-based work and taken down 7,700 sites that were hosting “cybercrime activity” related to COVID-19. Related Coverage More

Business process outsourcing (BPO) and customer relationship management multinational Atento has been hit by a cyberattack, with the greatest impact seen in Brazil, its largest operation in Latin America.The Madrid-headquartered firm informed its customers on Sunday (17) about the attack against its systems in Brazil, which caused an interruption of service as the company sought to contain and evaluate the extent of the threat, according to local news website Neofeed.Atento’s note to customers added that its security team was working towards containing it and ensuring the security of the affected environments before bringing them back online as soon as possible.

Contacted by ZDNet, the company was working on an official press statement relating to the matter, which had not been published at the time of writing. Brazil is one of Atento’s main global markets. More than 45% of the company’s global workforce, which employs over 150,000 people, is concentrated in the Brazilian operation, which serves major telecommunications companies and banks such as Bradesco and Itaú. The BPO firm is the latest of a string of companies operating in Brazil that have suffered cyberattacks recently. Last week, one of Brazil’s largest insurance groups, Porto Seguro, suffered a cyberattack that resulted in instability to its service channels and some of its systems.Another company also targeted by cybercriminals, CVC, one of the country’s largest travel operators, was hit by a ransomware attack that brought its operations to a standstill earlier this month.

Despite the increase in security threats, 56% of the Brazilian companies currently invest 10% or less of their IT budget in cybersecurity, according to a study by consulting firm Marsh on behalf of Microsoft. The research noted that 52% of Brazilian organizations said investments in security had not changed since the start of the pandemic. In terms of employee practices around security, only 23% of the Brazilian organizations that took part in the study said their workforce is using company-provided equipment to work. The study noted this practice significantly increased exposure to some type of cyber incident, but remote access security is a priority for only 12% of respondents and the second item on the list for 7% of respondents. More

Twitter has suspended a hacker who allegedly stole all of the data from Argentina’s database holding the IDs and information of all 45 million citizens of the country. A threat actor using the handle @aniballeaks said they managed to hack into Argentina’s National Registry of Persons — also known as RENAPER or Registro Nacional de las Personas — and was offering to sell the data on a cybercriminal forum. The leaked data includes names, home addresses, birthdays, Trámite numbers, citizen numbers, government photo IDs, labor identification codes, ID card issuance and expiration dates. Originally, the hacker began leaking the information of famous Argentines like Lionel Messi and Sergio Aguero. But in a conversation with The Record, the hacker said they planned to publish the information of “1 million or 2 million people” while looking for buyers interested in the data. The hacker also tacitly confirmed how they managed to break into the National Registry of Persons, noting that it was “careless employees” that allowed them into the system. The government of Argentina released a statement on October 13 denying that the National Registry of Persons had been hacked. But the statement also says that a VPN from someone within the Ministry of Health had been used to access the Digital Identity System right before the Twitter account leaked the initial data on the high-profile Argentines. Tony Pepper, CEO of cybersecurity firm Egress, called the hack “monumental.”

“The black market for stolen data is big business, and cybercriminals will stop at nothing to find their next big payday. This attack should be a warning to governments: cybercriminals have the means to execute large-scale, sophisticated attacks, and their citizens’ data is under threat,” Pepper said. “With the data of millions at risk, Argentinian citizens are now prime targets for follow-up attacks, such as financial fraud, sophisticated phishing attempts and impersonation scams, aimed at stealing further personal data, identities and even their money.” More