Information Technology

The Department of Home Affairs is looking for an organisation to help it build and deploy components for the country’s identity-matching services (IDMS), as well as host and manage elements of the existing IDMS system. The IDMS was established to prevent the use of false and stolen identities, provide law enforcement with tools to help identify persons of interest, and enable other government agencies to deliver services. This was established after the political heads of Australia’s states and territories unanimously agreed to it in 2017. It comprises three components, with one being the documentation verification service (DVS), a national online service used to check in real time whether a particular evidence-of-identity document that has been presented is authentic, accurate, and up to date. Another is a face-matching services hub (FMS), which acts as “broker” that facilities identity-related requests for biometric and biographic data between requesting agencies and data holding agencies. The third component is the national driver licence facial recognition solution (NDLFRS), which is used to verify a person’s identity using their facial image or driver’s licence issued by each state and territory road agency. In a request for tender, the Department of Home Affairs outlined it is seeking help to transition the country’s existing NDLFRS from an unnamed incumbent service provider to a new provider while keeping the current system fully operational during the transition period. The service provider would also take over all management, operations, and maintenance responsibilities for the NDLFRS, according to the tender. At the same time, the department is seeking for the DVS and FMS hubs to be designed, built, tested, and deployed, with the potentiation for both hubs to be consolidated into a single hub that can provide both services.

Read also: Human Rights Commission calls for a freeze on ‘high-risk’ facial recognition The department also hopes that a central routing application can be developed to facilitate the secure, automated transition of facial images and associated data between IDM participants, along with a web-based portal interface for IDMS consumers that can submit and receive information match requests for biometric and biographic data. Other requirements listed in the tender include the need to have agreed upon common data standards, guidelines, and protocols for the exchange of biometric and biographic data. Tender submissions close 11 March 2022. The request for tender follows the recent scrutiny regarding various Australian government agencies’ usage of biometric tools and data. In April last year, the Australian Federal Police (AFP) admitted to using Clearview AI facial recognition software to help counter child exploitation, despite not having an appropriate legislative framework in place.An investigation by Australia’s Information Commissioner later determined the AFP’s use of the Clearview AI platform interfered with the privacy of Australian citizens. A separate investigation also found that Clearview AI facial recognition tool collected Australians’ sensitive information without consent and by unfair means, breaching Australia’s privacy laws on numerous fronts. Related Coverage More

Image: Costfoto/Barcroft Media via Getty Images
The United States Federal Communications Commission (FCC) has removed the authority for China Unicom to operate in the US for national security reasons. The agency’s four commissioners voted unanimously to revoke the licence of China Unicom’s US subsidiary, with the agency explaining that the telco’s presence in the US posed a national security risk for the Chinese government to access, store, disrupt, and misroute US communications and engage in espionage. “In March 2021, the Commission found that China Unicom Americas had failed to dispel serious concerns regarding its retention of its authority to provide telecommunications services in the United States,” the FCC said in a statement. “[China Unicom] is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.” The state-owned China Unicom has also been accused of misleading the FCC and Congress about the activities it conducted in the US, which the agency said has fractured the telco’s ability to be trusted given the critical nature of being a provider of telecommunications services. With the ban, China Unicom joins China Telecom as being a Chinese state-owned telco that has been banned from operating in the US. The ban also means China Mobile is the last of China’s major telcos to still be allowed in the US.Prior to the FCC decision, China Unicom was already in regulatory hot water in the US, having been delisted from the New York Stock Exchange alongside China Telecom and China Mobile at the start of 2021. US President Joe Biden also signed an executive order in June last year prohibiting Americans from investing in the three telcos as well.

China Unicom will now have 60 days to pack its bags and stop its provisions of domestic and international services. Related Coverage More

Taiwanese network-attached storage giant QNAP urged its customers to update their systems this week after the DeadBolt ransomware was discovered targeting all NAS instances exposed to the internet.”QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version,” the company said in a statement. Attached to the statement is a detailed guide for customers, noting that if you go to the Security Counselor on your QNAP NAS and see “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP” on the dashboard, you are at high risk. “If your NAS is exposed to the Internet, please follow the instructions below to ensure NAS security: Go to the management interface of your router, check the Virtual Server, NAT or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 443 by default),” the company said. “Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration”, and unselect “Enable UPnP Port forwarding.”Two days ago, dozens of people took to QNAP message boards and Reddit to say they logged on only to find the Deadbolt ransomware screen. People reported losing decades of photos, videos and irreplaceable files. Even an MIT professor was hit. 

I just got hacked. Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files. They ask $1,000 from individuals or $1.8 million from QNAP. I have 50tb of data there, none of it essential or sensitive, but it hurts a lot. Time for a fresh start. pic.twitter.com/E8ZkyIbdfp— Lex Fridman (@lexfridman) January 27, 2022

One user on Reddit said they were saved because they had a folder titled “Absolutely Worthless” at the top of their directory full of data. The ransomware started with that folder, giving them time to pull the plug before it encrypted anything of value. 

The ransom note demands .03 of Bitcoin for the decryption key and says, “You have been targeted because of the inadequate security provided by your vendor (QNAP).” At least one user on Reddit reported paying the ransom and not getting the decryption key. 
QNAP message board
On the QNAP message board, someone shared a message from the Deadbolt ransomware group that was allegedly sent to QNAP. “All you affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage,” the group said.  The group demanded a Bitcoin payment of 5 BTC in exchange for details about an alleged zero day used to launch the attack or 50 BTC for a universal decryption master key and information about the zero day. “There is no way to contact us. These are our only offers,” the alleged message says. QNAP did not respond to requests for comment about whether a zero day was used during the attack. Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said QNAP NAS devices have been a frequent target of ransomware groups, including by the QLocker ransomware in April 2021 and January 2021 as well as the ech0raix ransomware in December 2020. QNAP has also been hit by malware in the past. “The latest activity—which has been attributed to the Deadbolt ransomware—is reportedly unsophisticated and relies on targeting unpatched devices. Mitigation for this attack—and other similar ransomware variants—can be achieved simply by ensuring devices are not internet facing and are routinely patched with the most regular updates,” Morgan explained. Vulcan Cyber’s Mike Parkin questioned why an organization would have a NAS system exposed on the internet in the first place, noting that while there may be some business cases for making mass storage available to outsiders, there is no reason to have administration functions available through an unencrypted, unauthenticated, connection. “Cases like this highlight how important it is to be sure systems are deployed and maintained to industry best practices. Network scanning and vulnerability management tools can work together to identify risky configurations after the fact, but it’s always best to make sure systems are deployed securely in the first place,” Parkin said.  More

The White House, Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) are rolling out a 100-day plan to improve the cybersecurity of the country’s water systems, which faced a variety of attacks over the last year. 

The “Industrial Control Systems Cybersecurity Initiative — Water and Wastewater Sector Action Plan” includes several measures that officials believe can be taken in the next few months to address cybersecurity gaps within the water utility industry. The plan will create a task force of leaders in the water utility industry, kickstart incident monitoring pilot programs, improve information sharing and provide technical support to water systems in need of help. EPA Administrator Michael Regan said cyberattacks represent an “increasing threat to water systems and thereby the safety and security of our communities.””As cyber-threats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America,” Regan said. “EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to, and recovering from cyber-incidents.”The White House said the plan will offer owners and operators with technology that will provide “near real-time situational awareness and warnings.” The Washington Post noted that over 150,000 water utilities are serving the US population. “This sector is made up of thousands of systems that range in size from the very small to ones that service major metropolitan cities that have little or no cybersecurity expertise and are unsure what steps they should take to address cyber risks. EPA and CISA will work with appropriate private sector partners to develop protocols for sharing information,” the Biden Administration said. 

“The government will not select, endorse, or recommend any specific technology or provider. The plan will initially focus on the utilities that serve the largest populations and have the highest consequence systems; however, it will lay the foundation for supporting enhanced ICS cybersecurity across water systems of all sizes.”Also: The White House rolls out zero trust strategy for federal agenciesIn October, CISA warned the US water and wastewater system operators about an array of cyber threats to disrupt their operations.The notice listed several recent attacks since 2019, including one in August 2021 that involved the Ghost ransomware being deployed against a facility in California. Attackers spent a month inside the system before putting up a ransomware message on three supervisory control and data acquisition servers. An attack in July 2021 saw the ZuCaNo ransomware used to damage a wastewater facility in Maine. In March 2021, a Nevada water treatment plant was hit with an unknown ransomware variant. In September 2020, the Makop ransomware hit a New Jersey facility, and another attack in March 2019 involved an attempt to threaten the drinking water of a town in Kansas. There was also a headline-grabbing attack in February 2021 where an unidentified hacker accessed the computer systems of a water treatment facility in the city of Oldsmar, Florida and modified chemical levels to dangerous parameters.Recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability. “Over the past year, we’ve seen cyber threats affecting the critical infrastructure that underpins our communities and the services we all rely on, including safe and clean water,” CISA Director Jen Easterly said. “To reduce the likelihood and impact of damaging cybersecurity intrusions to the water sector, we’re teaming up with our EPA partners to provide guidance, technology, and direct support to the sector. The action plan announced today will help us better understand and reduce the risks across the water and wastewater sector both in the near and long term, and keep the American people safe.”The White House noted in its statement that the recent attacks on Colonial Pipeline and food processor JBS “are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure.”The EPA developed the water plan, National Security Council, CISA and the Water Sector Coordinating Council and Water Government Coordinating Council. National Cyber Director Chris Inglis explained that the plan will provide owners and operators of water utilities with a roadmap for high-impact actions to improve their operations’ cybersecurity. The 100-day plan is part of President Joe Biden’s Industrial Control Systems (ICS) Initiative that aims to help critical infrastructure organizations with tools that provide greater visibility, indicators, detections, and warnings about cyber threats. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the action plans that were created for electric grids and pipeline operators “have already resulted in over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines deploying additional cybersecurity technologies.””This plan will build on this work and is another example of our focus and determination to use every tool at our disposal to modernize the nation’s cyber defenses, in partnership with private sector owners and operators of critical infrastructure,” Neuberger said. Secretary of Homeland Security Alejandro Mayorkas added that “American lives depend on protecting the Nation’s critical infrastructure from evolving cybersecurity threats.”Responses to the 100-day plan among ICS cybersecurity experts was mixed. Mark Carrigan, cyber VP of process safety and OT cybersecurity at Hexagon PPM, told ZDNet that the measures outlined “will not be nearly sufficient to reduce the risk to an acceptable level.” The state of detection technology today is not “fool-proof,” according to Carrigan, who noted that many infiltrations and subsequent attacks start with exploiting zero-day vulnerabilities that are not recognized until after the fact. “It’s like closing the barn door after the cows have gotten out. It is time for critical infrastructure to increase investments to improve operational resiliency so that we can respond to an attack, minimize the impact, and restore operations within an acceptable period of time,” Carrigan said. “We must accept the fact that we cannot prevent all cyber-attacks due to the nature of the control systems that deliver critical services. We must improve our ability to respond and recover.” More

A wave of cyber attacks are exploiting Microsoft Excel add-in files in order to deliver several forms of malware in campaigns which could leave businesses vulnerable to data theft, ransomware and other cyber crime. Detailed by researchers at HP Wolf Security, the campaigns use malicious Microsoft Excel add-in (XLL) files to infect systems and there was an almost six-fold increase – a 588% rise – in attacks using this technique during the final quarter of 2021 when compared to the previous three months. XLL add-in files are popular because they enable users to deploy a wide variety of extra tools and functions in Microsoft Excel. But like macros, they’re a tool which can be exploited by cyber criminals. The attacks are distributed via phishing emails based around payment references, invoices, quotes, shipping documents and orders which come with malicious Excel documents with XLL add-in files. Running the malicious file prompts users to install and activate the add-in – which will secretly run the malware on the victim’s machine. Malware families identified as being delivered in attacks leveraging XLL files include – Dridex, IcedID, BazaLoader, Agent Tesla, Raccoon Stealer, Formbook and Bitrat. Many of these forms of malware can create backdoors onto compromised Windows systems, providing attackers with the ability to remotely access machines, monitor activity and steal data. Researchers also warn that malware backdoors provide attackers with ability to deliver other malware, including ransomware, meaning the XLL attacks could be exploited as a means of encrypting networks and demanding large ransom payments. These XLL attacks are effective at compromising victims – something that’s reflected in the prices of those offering services related to them on underground dark web forums.  

SEE: A winning strategy for cybersecurity (ZDNet special report)Some XLL Excel Dropper services are advertised as costing over $2,000, which is quite expensive for community malware but criminal forum users seem willing to pay the price. In addition to the XLL-based campaigns, researchers note that QakBot, a prominent form of trojan malware, often used as a precursor to ransomware attacks, is also abusing Excel to compromise victims. Attackers are hijacking email threads in order to deliver malicious Excel documents to their chosen victims, who are sent a ZIP archive containing a Microsoft Excel Binary Workbook (XLSB). If this is run, QakBot is downloaded onto the machine. “Abusing legitimate features in software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly,” said Alex Holland, senior malware analyst at HP Wolf Security. “Attackers are continually innovating to find new techniques to evade detection, so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe,” he added. In order to avoid falling victim to the spate of attacks abusing XLL files, it’s recommended that administrators configure email gateways to block incoming .xll attachments and only permit add-ins to be delivered by trusted partners – or even disable Excel add-ins entirely. MORE ON CYBERSECURITY More

The FBI has issued an alert detailing the tools, techniques and tactics of an Iranian group, giving US organizations tips to defend against its malicious cyber activities.Back in October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a campaign aimed at influencing and interfering with the 2020 US Presidential Election. 

ZDNet Recommends

The Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors. SEE: A winning strategy for cybersecurity (ZDNet special report)But the FBI information indicates Emennet poses a broader cybersecurity threat outside of information operations. “Since 2018, Emennet has conducted traditional cyber exploitation activity targeting several sectors, including news, shipping, travel (hotels and airlines), oil and petrochemical, financial, and telecommunications, in the United States, Europe, and the Middle East,” it said. Emennet is known to use virtual private network (VPN) services TorGuard, CyberGhost, NordVPN, and Private Internet Access. The group also uses web search to identify leading US business brands and then scans their websites for vulnerabilities to exploit. In some but not all cases, the exploit attempts were targeted and the group would also try to identify hosting and shared hosting services.  

Emennet was particularly interested in finding webpages running PHP code and identifying externally accessible MySQL databases, in particular phpMyAdmin. They also were keen on Wordpress, the most popular CMS on the web, as well as Drupal and Apache Tomcat.”When conducting research, Emennet attempted to identify default passwords for particular applications a target may be using, and tried to identify admin and/or login pages associated with those same targeted websites. It should be assumed Emennet may attempt common plaintext passwords for any login sites they identify,” the FBI warned. It said the group has attempted to leverage cyber intrusions conducted by other actors for their own benefit, for example searching for data hacked and leaked by other actors, and attempting to identify webshells that may have been placed or used by other cyber actors.  The group also uses a range of open-source penetration testing and research tools, including SQLmap, and it probably uses additional tools: DefenseCode Web Security Scanner, Wappalyzer, Dnsdumpster, Tiny mce scanner, Netsparker, Wordpress security scanner (wpscan), and, of course, Shodan.  More

EyeMed has agreed to $600,000 in penalties to settle the case of a 2020 data breach that exposed the information of roughly 2.1 million consumers. 

The agreement was announced this week. According to New York Attorney General Letitia James, the data breach exposed sensitive information, including names, mailing addresses, full or partial Social Security numbers, dates of birth, driving licenses, healthcare IDs, diagnoses and condition notes, and treatment information. Out of the 2.1 million individuals involved in the security incident, 98,632 New York state residents.  Based in Cincinnati, Ohio, EyeMed Vision Care is a network provider for independent optometrists, opticians, ophthalmologists, as well as eye doctors in retail settings. The organization caters to over 60 million users.  According to court documents (.PDF), on or around June 24, 2020, an unknown attacker used stolen credentials to access an enrollment email account used by EyeMed. Over the course of a week, the threat actor was able to view correspondence and access sensitive consumer data.  The cybercriminal was able to exfiltrate this data, in theory, but a cyberforensics firm hired to investigate the incident was unable to conclude whether or not they did steal consumer information.  In July, the attacker then used the email account to send roughly 2,000 phishing emails to clients. 

“The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker,” the settlement document reads.  EyeMed was alerted to the intrusion once the scam messages were sent and booted the attacker from its system.  It took a further two months before impacted clients began to be notified of the data breach — and as this has been conducted on a rolling basis, customers were still being told up to January 2021. Clients have been offered credit monitoring services, fraud consultation, and identity theft restoration. Minors, too, were affected — and for this group, EyeMed has also offered Social Security Number trace.  The Office of the Attorney General launched its own investigation into the data breach and concluded that the original email account was not protected with multi-factor authentication (MFA).  “Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information,” the office says. “The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents.” Under the terms of the agreement, EyeMed will pay the state of New York penalties totaling $600,000. In addition, the company must improve its cybersecurity posture maintain “reasonable” account management protocols, including the implementation of MFA in remote and administrative settings, and sensitive information collected from consumers must be encrypted.  If it is no longer necessary to store consumer information, the company is now under orders to permanently delete it.  A penetration testing program must also be implemented to identify any vulnerabilities or further security issues in the EyeMed network.  “New Yorkers should have every assurance that their personal health information will remain private and protected,” commented Attorney General James. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest.” ZDNet has reached out to EyeMed with additional queries, and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has raised an alarm about a new multi-phase phishing campaign that first enrolls an attacker’s BYOD device on a corporate network and then begins sending thousands of convincing phishing emails to further targets. The purpose of enrolling or registering a device on a target company’s network was to avoid detection during later phishing attacks, according to Microsoft.   

Microsoft says “most” organizations that had enabled multi-factor authentication (MFA) for Office 365 were not impacted by phishing emails spread by attacker-controlled registered devices, but those that had not enabled MFA were all affected. SEE: A winning strategy for cybersecurity (ZDNet special report)The attack exploited instances where MFA was not enforced during the process of registering a new device with a company’s instance of Microsoft’s identity service, Azure Active Directory (Azure AD); or when enrolling a BYOD device to a mobile device management (MDM) platform like Microosft’s Intune.”While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack’s propagation heavily relied on a lack of MFA protocols,” Microsoft said. “Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain,” it added. 

The first wave of the attack targeted organizations in Australia, Singapore, Indonesia, and Thailand, according to Microsoft. “Hundreds” of credentials stolen in this phase were then used in the second phase where a device was registered or enrolled, allowing for broader penetration of the target. The first phase relied on a DocuSign-branded phishing email requesting the recipient review and sign the document. It used phishing domains registered under the .xyz top level domain (TLD). Each email’s phishing link was also uniquely generated and contained the target’s name in the URL. The phishing link directed victims to a spoofed Office 365 login page. The attackers used stolen credentials to set up a connection with Exchange Online PowerShell and used this to create inbox rules that deleted messages based on keywords in the subject or body of the email, including ‘junk’, ‘spam’, ‘phishing’, ‘hacked’, ‘password’, and ‘with you’. This was likely to to avoid detection.  In the second phase, the attackers installed Microsoft’s Outlook email client on to their own Windows 10 PC, which was then successfully connected to the victim’s Azure AD. All the attackers had to do was accept Outlook’s onboarding experience that prompts the user to register a device. In this case, the attackers were using credentials acquired in phase one. “An Azure AD MFA policy would have halted the attack chain at this stage,” Microsoft notes. Azure AD does have tools to mitigate these threats by time-stamping and logging new device registrations. But with compromised credentials and a registered Windows 10 device with Outlook, the attackers could then launch the second phase, which involved sending “lateral, internal, and outbound” phishing messages to over 8,500 other email accounts. These messages used a SharePoint invitation to view a “Payment.pdf” file.  “By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign.”      

ZDNet Recommends

Accounts where victims clicked the link in the second wave were similarly subjected to automated rules that deleted emails containing the same keywords used in the first wave.SEE: This mysterious malware could threaten millions of routers and IoT devicesMicrosoft offers directions to security teams that can revoke active sessions and tokens of compromised accounts, delete unwanted mailbox rules, and disable rogue devices registered with Azure AD.Notably, Microsoft says organizations can reduce their attack surface by disabling “basic authentication”, and in Exchange Online and by disabling Exchange Online Powershell for end users. Admins can also enable Microsoft’s new “conditional access control”. Microsoft in February announced that, due to the pandemic, it was delaying its plan to turn off basic authentication in Exchange Online for legacy email authentication protocols, such as Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB. That move would eliminate instances where single factor authentication is used. Microsoft’s replacement for basic authentication, dubbed Modern Authentication, enables both conditional access and MFA.    Microsoft in September said it would “begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth”, from October 1, 2022.  More