Information Technology

A brand of malware that has previously gone undetected is being used in targeted attacks against Linux systems. 

According to researchers from cybersecurity firm ESET, the malware, named FontOnLake, appears to be well-designed and while under active development already includes remote access options, credential theft features, and is able to initialize proxy servers. FontOnLake samples first appeared on VirusTotal in May 2020 but the command-and-control (C2) servers linked to these files are disabled, which the researchers say may be due to the uploads.  The researchers added that Linux systems targeted by the malware may be located in areas including Southeast Asia.   ESET believes the operators are “overly cautious” about being caught and their activities exposed as almost all samples obtained use different C2 server addresses and a variety of ports. Furthermore, the malware’s authors make use of C/C++ and a number of third-party libraries such as Boost and Protobuf.  FontOnLake is modular malware that harnesses custom binaries to infect a machine and to execute malicious code. While ESET is still investigating FontOnLake, the firm says that among its known components are trojanized apps which are used to load backdoors, rootkits, and to collect information.”Patches of the applications are most likely applied on the source code level, which indicates that the applications must have been compiled and replaced the original ones,” the team says. 

In total, three backdoors have also been connected to FontOnLake. The backdoors are all written in C++ and create a bridge to the same C2 for data exfiltration. In addition, they are able to issue “heartbeat” commands to keep this connection active.  FontOnLake is always joined with a kernel-mode rootkit to maintain persistence on an infected Linux machine. According to Avast, the rootkit is based on the open source Suterusu project.  Tencent and Lacework Labs have also published research on what appears to be the same strain of malware. ESET has also released a technical whitepaper (.PDF) examining FontOnLake.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI and the Naval Criminal Investigative Service (NCIS) have arrested an engineer and his wife for trying to sell confidential military data. 

On Sunday, the US Department of Justice (DoJ) named Jonathan and Diana Toebbe, of Annapolis, Maryland, as the suspects in a plot to sell information to a foreign government.According to the complaint, for close to a year, Jonathan — with the assistance of his wife — attempted to sell Restricted-class data in exchange for cryptocurrency.  Jonathan served as a nuclear engineer for the US Navy. During his time with the Navy, the 42-year-old worked on the Naval Nuclear Propulsion Program and had secured high-level national security clearance.  “Toebbe worked with and had access to information concerning naval nuclear propulsion including information related to military sensitive design elements, operating parameters, and performance characteristics of the reactors for nuclear-powered warships,” US prosecutors say.  On April 1, 2020, Jonathan allegedly sent a sample pack of information relating to the nuclear program to an unnamed foreign government, together with a letter that alleged read: “I apologize for this poor translation into your language. Please forward this letter to your military intelligence agency. I believe this information will be of great value to your nation. This is not a hoax.”  The DoJ has accused the engineer of then forming a relationship over email with someone he believed was part of this government. 

ProtonMail was used for back-and-forth exchanges over the course of several months under the names “Alice” and “Bob.” By June 8, the contactee had sent Toebbe a $10,000 payment in Monero cryptocurrency in “good faith,” and several weeks later, the engineer allegedly acted.  The husband and wife traveled to West Virginia to an agreed drop location. While Diana assumed the role of a lookout, Jonathan then placed half a peanut butter sandwich at the drop site — and contained within was an SD storage card containing stolen nuclear reactor program information.  The SD card was then retrieved by the contactee — who happened to be an undercover FBI agent, who sent Toebbe a further $20,000 in cryptocurrency.  After the second payment was made, the engineer emailed the agent the decryption key required to access the information contained in the SD card.  The FBI was then able to verify the legitimacy of the data and a second drop was arranged for the price of $70,000. This time, Toebbe smuggled the SD card into a chewing gum package.  Among the stolen data was schematics for the Virginia-class submarine, a $3 billion design of which vehicles are in active service and are expected to remain so until at least 2060. It was almost time for law enforcement to act and so they arranged for yet another package of data to be exchanged — and in the next drop zone, the pair were arrested.  The Toebbes were arrested on October 9 and they are due to appear in a Martinsburg, West Virginia federal court on October 12 to faces accusations of conspiracy to communicate restricted data and communicating restricted data as violations of the Atomic Energy Act. The FBI and the NCIS are continuing to investigate.  “The complaint charges a plot to transmit information relating to the design of our nuclear submarines to a foreign nation,” commented Attorney General Merrick Garland. “The work of the FBI, Department of Justice prosecutors, the Naval Criminal Investigative Service, and the Department of Energy was critical in thwarting the plot charged in the complaint and taking this first step in bringing the perpetrators to justice.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian industry group advocating for tech giants, including Facebook, Google, TikTok, and Twitter, has expanded its voluntary code for addressing misinformation online after the Australian and US government made fresh calls last week for tougher social media regulation.The group, Digital Industry Group Inc (DiGi), said the expansion entails creating a new independent committee to police the voluntary code for misinformation and disinformation.These independent members will work with signatories, through an administration sub-committee, to oversee the various actions taken by signatories to meet their obligations under the code, DiGi said.The updated voluntary code will also see DiGi create a new complaints portal. The new portal will accept complaints from the Australian public where they believe a signatory has breached the code’s commitments. Signatories of the voluntary code are Apple, Adobe, Facebook, Google, Microsoft, Redbubble, TikTok, and Twitter.DiGi created the code in February, which consists of signatories committing to releasing an annual transparency report about their efforts to address disinformation and misinformation, and providing a way for users to report content with disinformation and misinformation. The code also calls for signatories to be cognisant of the Universal Declaration on Human Rights when developing proportionate responses to disinformation and misinformation.

Australian Communications and Media Authority chair Nerida O’Loughlin said in a statement that the updated voluntary code mechanisms were “an important step” in reducing online misinformation and disinformation.O’Loughlin did note, however, that she was still concerned about the voluntary and opt-in nature of the code.”We will be watching how this works in practice and whether expanding the committee’s remit will be necessary,” she said.Reset Australia, a democracy advocate, took a firmer position, with its director of tech policy Dhakshayini Sooriyakumaran labelling the code as “laughable” due to its voluntary and opt-in nature.”The DiGi code is voluntary and opt-in, with no enforcement and no penalties. Clearly, self regulation does not work,” she said.”DiGi’s code is not much more than a PR stunt given the negative PR surrounding Facebook in recent weeks.”The changes come as the Australian and US government have criticised the efforts of social media platforms to address misinformation and disinformation, with a Facebook whisteblower last week accusing the social network of intentionally hiding vital information from the public for profit.During a testimony to the Senate, the whisteblower Frances Haugen labelled the company as “morally bankrupt” and that “the choices being made inside of Facebook” were “disastrous for our children, our privacy, and our democracy”.Days later, Australian Prime Minister Scott Morrison criticised tech giants for the conduct that occurs on their platforms, stating that social media platforms like Facebook have become a “coward’s palace” for trolls.”The companies that [do not] say who they are, well, they’re not a platform anymore. They’re a publisher, and you know what the implications of that means in terms of those issues. So people should be responsible for what they say in a country that believes in free speech.” Morrison said at a press conference.Meanwhile, Minister for Communications, Urban Infrastructure, Cities, and the Arts Paul Fletcher said last Wednesday that there was “no question that misinformation or disinformation is a problem on social media”.Fletcher said the government would keep the voluntary code “under close scrutiny” and did not rule out the possibility of further regulation for social media platforms.  “If we don’t think the voluntary code is sufficient then we will certainly consider more direct regulatory action,” he said.RELATED COVERAGE More

McAfee Enterprise and FireEye completed their merger on Friday, closing the $1.2 billion, all cash transaction that merges the two cybersecurity giants. FireEye announced the sale of its FireEye Products business to a consortium led by Symphony Technology Group (STG) in July, separating the company’s network, email, endpoint and cloud security products from Mandiant’s software and services. In March, McAfee sold its enterprise security business to STG in a deal worth $4 billion, paving the way for the two to be merged. The two companies now boast a combined customer base of 40,000, about 5,000 employees and almost $2 billion in revenue. “Aligning McAfee Enterprise’s device-to-cloud cybersecurity solutions with FireEye’s robust portfolio of products presents an extraordinary opportunity for helping keep customers everywhere safe and secure,” STG managing partner William Chisholm said. Bryan Palma, CEO of the new combined company, said the McAfee Enterprise and FireEye teams will be able to develop an integrated security platform powered by artificial intelligence and automation. In an interview, Palma told ZDNet that the sophistication of threats and the deficit of cybersecurity talent means companies will need to rely more on automation, artificial intelligence and machine learning. 

“There’s just no way that people can keep up, and we’re seeing that. We’ve got nation-states now involved in making attacks and that’s very concerning because they obviously have very strong capabilities. But what we’re seeing is some of the techniques that were traditionally used by nation-states are now being used by criminal groups and hackers,” Palma said. “We also see these supply chain attacks, which we were obviously directly involved in at FireEye with everything that happened with SolarWinds. There are so many zero-days still out there and that’s still an entry point for many hackers. There’s ransomware and still good old-fashioned phishing. There’s a combination of really new, sophisticated threats that I think have raised the bar and then the traditional ways that hackers come after organizations.”Palma joined FireEye in February 2021, at the height of outrage and scrutiny over the SolarWinds scandal that is still being unraveled by the US government.  Palma added that there isn’t much overlap between the two companies, allowing each side to bring different things to the table. He said the merger will allow both companies to provide more robust endpoint services, cloud protection and security operations. For the future, Palma said the new company is focusing on leading the way with XDR and statistical models to help address the sophistication of adversaries. “Now that cybersecurity has gotten hot, there are a lot of what I’ll call ‘software companies’ out there. We’re a true, grounded security company and that’s what the people in our company are concerned about.” Palma said. “We really have a great bench of people with expertise who are very skilled in this area and very experienced.”When asked what the new company will be named, Palma explained that the companies will finish the fiscal year under the Mcafee Enterprise and FireEye names before deciding on what the new merged name will be.He said the company doesn’t own the McAfee Enterprise name beyond the end of 2021, so they will have to come up with something new for 2022. 

Tech Earnings More

A member of the team at the University of Toronto’s Citizen Lab is questioning the actions of controversial Israeli spyware firm NSO Group in the case of Princess Haya bint al-Hussein, who had her devices and the devices of her lawyers hacked amid a UK custody battle with Sheikh Mohammed bin Rashid al-Maktoum, ruler of the United Arab Emirates. 

ZDNet Recommends

Sheikh Mohammed and Princess Haya are locked in a custody battle over their two children and the ruler ordered agents from the UAE to hack into his ex-wife’s devices using Pegasus, the NSO Group’s widely-criticized spyware. The ruler even ordered her British lawyers’ phones hacked as well, drawing outrage from UK court officials who called the hacks “serial breaches of domestic criminal law,” “in violation of fundamental common law and ECHR rights,” and an “abuse of power” by a head of state. The tool has caused global outrage for months after Citizen Lab revealed that it was being used widely by repressive governments and cybercriminal groups to monitor dissidents, human rights activists and even some world leaders, including French President Emmanuel Macon.William Marczak, a senior research fellow with Citizen Lab, testified in Princess Haya’s case and told ZDNet that he felt compelled to participate in the trial because of how brazen Sheikh Mohammed’s actions were. Marczak was also intimately involved in the case, having notified Princess Haya about Pegasus being used against her hours before NSO Group contacted her lawyers. Marczak explained to ZDNet that he personally confirmed the use of Pegasus by forensically analyzing the phones, but said he first became aware of the possible use of Pegasus when he identified the IP address of the lawfirm Payne Hicks Beach among a set of potential victim IP addresses he developed in his research.During the trial, it was revealed that Princess Haya’s lawyers discovered their devices had been hacked because the wife of former UK Prime Minister Tony Blair, Cherie Blair, works for NSO Group and knows Fiona Shackleton, one of the lawyers involved in the case. On August 5, 2020, Blair was called by an NSO Group employee and told that “it had come to their attention” Pegasus was being used on the phones of Princess Haya and Shackleton. The NSO employee said they cut off access to the phones through Pegasus and needed help contacting Shackleton about the issue. 

But Marczak disputed this retelling of events, saying he was the one who first told Princess Haya’s lawyers about the hack hours before NSO Group tried to contact them. “One interesting detail that emerged in the proceedings was that NSO Group had notified Princess Haya’s lawyers several hours after I did, despite the fact that the court found one of the targets was hacked as early as November 2019,” Marczak said.  “Here’s an interesting question, would NSO Group have notified Princess Haya’s lawyers had I not done my own notification?”What stood out most to Marczak was NSO Group’s atypically robust response, noting that it was not common for the spyware firm to cut off access to their tool.   “Not only did NSO Group notify the targets of the surveillance shortly after I did, but they also claim to have disconnected one of their customers over the matter,” he explained. “Furthermore, NSO Group said that they instituted a policy where their foreign customers are not generally allowed to spy in the UK. We see abuses of NSO Group’s Pegasus spyware all the time, but we almost never see NSO take remediative action like this.” Marczak’s testimony in the case centered on how powerful the Pegasus spyware is and he explained how the tool gives users full access to a person’s device without them knowing. He also confirmed that the phones were hacked by a single operator from the UAE. “This is one of the most naked abuses of government spyware I’ve ever seen. NSO Group and its customers sometimes try to justify surveillance against dissidents and journalists by pointing to national security or terrorism concerns, but it’s a lot harder to paint your ex-wife and her family court lawyers as terrorists,” Marczak said. “When the prospect of the UAE spying on Princess Haya’s lawyers came to light, I felt compelled to notify them and help them make sense of what had happened.”Marczak added that he could not think of another case where forensics confirmed that Pegasus was used this way.  

He noted that there have been a few allegations of rulers using Pegasus for non-political reasons.He mentioned the case of a former Panamanian President, Ricardo Martinelli, who was alleged to have used Pegasus to spy on his mistresses, according to an extradition request from the US.Marczak added that there are now wider concerns that the spyware will be used in personal disputes by repressive world leaders. “It is an ongoing risk, especially when so many of NSO Group’s customers are places where the personal affairs of the leader can often get entangled with national security concerns.””There is nothing that the average person can do to defend against this, but the targets are often not average people.” He recommended that at-risk users consider disabling iMessage, FaceTime, WhatsApp and other messaging apps if they’re not using them because these are popular vectors for phone hacking. He also mentioned that it would help to segregate activity onto different devices, which can mitigate the damage if a single device is hacked. He suggested having one phone for work, one phone for a sensitive project you’re working on and one phone for personal life.NSO Group said it has cancelled its contract with the United Arab Emirates after it discovered how Pegasus was being used. “As the NSO letter of December 2020 makes plain, after its investigation NSO has adopted the extreme remedy of terminating its customer’s use of the Pegasus software. In commercial terms, this step is to be understood as having great significance,” Judge Andrew McFarlane, President of the Family Division in England and Wales, wrote in his ruling.But Marczak said the NSO Group’s flagrant actions prove more cases will emerge of Pegasus being misused in this way.”Without better regulation of the industry and its customers, this is inevitable,” Marczak said.  More

Some of the cybersecurity vulnerabilities most commonly exploited by cybercriminals to help distribute ransomware are years old — but attackers are still able to take advantage of them because security updates aren’t being applied.

Cybersecurity researchers at Qualys examined the Common Vulnerabilities and Exposures (CVEs) most used in ransomware attacks in recent years. They found that some of these vulnerabilities have been known for almost a decade and had vendor patches available. But because many organizations still haven’t applied the available security updates, they remain vulnerable to ransomware attacks.The oldest of the top five vulnerabilities detailed in the analysis is CVE-2012-1723, a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7, which was detailed in 2012. According to researchers, it’s been commonly used to distribute Urausy ransomware. This ransomware is somewhat basic, but some organizations have remained vulnerable because they haven’t applied the relevant security patches. Two other common vulnerabilities detailed by researchers are from 2013. CVE-2013-0431 is a vulnerability in JRE exploited by Reveton ransomware, while CVE-2013-1493 is a flaw in Oracle Java that is targeted by Exxroute ransomware. In both cases, patches to remedy the vulnerabilities have been available for over eight years. CVE-2018-12808, meanwhile, is a three-year-old vulnerability in Adobe Acrobat, which is used to deliver ransomware via phishing emails and malicious PDF files. Both Ryuk ransomware and what many believe to be its successor, Conti ransomware, have been known to use this attack method.See also: A winning strategy for cybersecurity (ZDNet special report).The most recent vulnerability on the list is Adobe CVE-2019-1458, a privilege escalation vulnerability in Windows that emerged in December 2019 and has been commonly used by the NetWalker ransomware group. Like the other vulnerabilities detailed by researchers, cybercriminals are have been able to continue launching successful attacks because the available security update hasn’t been applied.

For IT and information security teams, applying all the patches needed to keep a network secure is often an uphill battle. “The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched,” Shailesh Athalye, SVP of product management at Qualys, told ZDNet.”It is easy for operations teams to get overwhelmed when they do not have a prioritized list of patches or software listings provided from security teams.”Cyberattackers know that many organizations struggle with patching, so they are actively scanning for vulnerabilities that enable them to lay down the foundations for ransomware and other cyberattacks.  Patch management can be a complex and time-consuming process. Still, information security teams need to take the time to apply critical security updates, particularly if they’re known to be commonly exploited by cybercriminals and ransomware gangs.”There is no silver bullet to prevent ransomware and remediate vulnerabilities, but overall, driving processes for reducing an attack surface should be the goal,” said Athalye.”The important part of vulnerability management is the combination of vulnerability assessment, prioritization and remediation.”More on cybersecurity: More

Researchers say that BrewDog exposed the personally identifiable information (PII) of roughly 200,000 shareholders for the best part of 18 months. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

According to PenTestPartners, BrewDog “declined to inform their shareholders and asked not to be named” in the research revealing the security flaw. On October 8, the cybersecurity firm said that the Scottish brewery implemented a hard-coded Bearer authentication token associated with API endpoints designed for BrewDog’s mobile applications.  The tokens were returned, but rather than being triggered once a user has submitted their credentials — therefore, allowing access to an endpoint — as they were hardcoded, this verification step was missed.  PenTestPartners members, who happened to be BrewDog shareholders, appended each other’s customer IDs at the end of API endpoint URLs. During tests, they found they were able to access the PII of Equity for Punks shareholders without a suitable authentication challenge. Names, dates of birth, email addresses, genders, telephone numbers, previously used delivery addresses, shareholder numbers, shares held, referrals, and more were accessible.  However, the customer IDs were not considered “sequential.”  “An attacker could brute force the customer IDs and download the entire database of customers,” the researchers said. “Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!”

PenTestPartners noted that some of the PII exposed would fall under the GDPR protection banner, and hard-coding authentication tokens is a failure to meet these standards.  Based on an analysis of older versions of the BrewDog app, the researchers say that the security issue was introduced in version 2.5.5, released in March 2020, and was not resolved for roughly 18 months.  After PenTestPartners reached out with its findings, researcher Alan Monie tested a total of six different builds. It took four fix attempts before the issue was resolved in version 2.5.13, released on September 27. 
PenTestPartners
However, the changelog for this version does not appear to mention the vulnerability fix.  “The vulnerability is fixed,” the researcher says. “As far as I know, BrewDog has not alerted their customers and shareholders that their personal details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I’m left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure.” Speaking to ZDNet, a BrewDog spokesperson provided the following statement: “We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way. There was, therefore, no requirement to notify users. We are grateful to the third-party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our user’s privacy. Our security protocols and vulnerability assessments are always under review and always being refined in order that we can ensure that the risk of a cyber security incident is minimized.” BrewDog also told us:”BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO.” Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Beijing-backed hackers caused a crisis after hacking Exchange email servers this year with flaws Microsoft didn’t know about, but Microsoft says Russian hackers are far more prolific than those from China, or any other nation.  “During the past year, 58% of all cyberattacks observed by Microsoft from nation-states have come from Russia,” Tom Burt, Microsoft corporate vice president said in a blogpost detailing government-backed hacking over the past year. The US and UK blamed the Russian Foreign Intelligence Service (SVR) for the huge software supply chain attack on US enterprise software vendor, SolarWinds, which affected 18,000 customers including top tech firms and US government agencies. Microsoft, which was also compromised by the hack, calls this group of hackers Nobelium; others call it APT28.Microsoft’s Burt warned that the past year showed Kremlin-backed hackers are becoming “increasingly effective”, with their attacks becoming more successful and driven by spying and intelligence campaigns. Many Russian-attributed attacks targeted enterprise virtual private network (VPN) software.  “Russian nation-state actors are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% — largely agencies involved in foreign policy, national security or defense,” he explained. Russia’s hacking is primarily motivated by the nation’s politics, with the top targets being the United States, Ukraine and the UK, according to Microsoft. But other usual suspects also feature in Microsoft’s 2021 Digital Defense Report, including Iran and North Korea. A new entrant is Turkey, which has a developed taste for trojans. Notably absent from Microsoft’s report is work carried about by Israeli cyber teams. Israel is home to NSO Group, infamous for exploits targeting iPhones.

Russian state-based hacking was mostly focused on Ukraine. Meanwhile, Israel was targeted increasingly by Iranian hackers. “Russia-based NOBELIUM raised the number of Ukrainian customers impacted from six last fiscal year to more than 1,200 this year by heavily targeting Ukrainian government interests involved in rallying support against a build-up of Russian troops along Ukraine’s border,” Microsoft notes in its Digital Defense Report.”This year marked a near quadrupling in targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries.”Public sector agencies under fire from hackers are mostly “ministries of foreign affairs and other global government entities involved in international affairs”, according to Microsoft, while phishing attacks seeking to capture credentials affect consumer and enterprise accounts.Russian hackers have evolved supply chain attacks over the past decade. The biggest supply chain attack before SolarWinds was NotPetya in 2017, which spread through a little-known Ukrainian accounting software package and cost industrial giants billions in losses.Software supply chain attacks work because they’re carried out via updates from trusted software vendors, including security companies. SolarWinds may not be a household name, but it’s big in enterprise IT.Now, nearly every major US cybersecurity company is rallying behind US president Jo Biden’s cybersecurity order, which attempts to push the idea that even trusted networks can’t be trusted.However, critical infrastructure is the real change in the targets selected by Russian hackers. Biden reportedly told Russian president Vladimir Putin that critical infrastructure should be “off limits”, although this is a tricky position for the US when it’s widely known that the world’s most capable hackers work at the National Security Agency, which developed Stuxnet to target Iran’s uranium enrichment equipment. Microsoft’s top execs have previously criticised the NSA for hoarding zero-day exploits.”From July 2020 to June 2021, critical infrastructures were not the focal point according to the NSN information that was tracked. China-based threat actors displayed the most interest and Russia-based threat actors accounted for the least in targeting entities in the critical infrastructure sector,” Microsoft notes in its report.”Russian NOBELIUM’s cyber operations are a perfect example of displaying Russia’s interest in conducting operation for access and intelligence collection versus targeting a critical infrastructure for potential disruption operations.” More