Information Technology

Qakbot, a top trojan for stealing bank credentials, has in the past year started delivering ransomware and this new business model is making it harder for network defenders to detect what is and isn’t a Qakbot attack. Qakbot, is an especially versatile piece of malware, and has been around for over a decade and survived despite multi-year efforts by Microsoft and other security firms to stamp it out. Qakbot in 2017 adopted WannaCry’s lateral movement techniques, such as infecting all network shares and drives, brute forcing Active Directory accounts and using the SMB file-sharing protocol to create copies of itself.   

ZDNet Recommends

Kaspersky’s recent analysis of Qakbot concluded that it won’t disappear anytime soon. Its detection statistics for Qakbot indicated it had infected 65% more PCs between January to July 2021 compared to the same period in the previous year. So, it is a growing threat.SEE: Hackers are turning to this simple technique to install their malware on PCsMicrosoft highlights that Qakbot is modular, allowing it to appear as separate attacks on each device on a network, making it difficult for defenders and security tools to detect, prevent and remove. It’s also difficult for defenders to detect because Qakbot is used to distribute multiple variants of ransomware. “Due to Qakbot’s high likelihood of transitioning to human-operated attack behaviors including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely,” the Microsoft 365 Defender Threat Intelligence Team say in its report. Given these difficulties pinpointing a common Qakbot campaign, the Microsoft team has profiled the malware’s techniques and behaviors to help security analysts root out this versatile malware. 

The primary delivery mechanism is emailed attachments, links, or embedded images. However, it’s also known to use Visual Basic for Applications (VBA) macros as well as legacy Excel 4.0 macros to infect machines. TrendMicro analyzed a large Qakbot campaign in July that used this technique. Other groups like Trickbot recently started using Excel 4.0 macros to call Win32 APIs and run shell commands. As a result, Microsoft disabled these macro types by default, but Qakbot uses text in an Excel document to trick targets into manually enabling the macro.   Qakbot employs process injection to hide malicious processes, creating scheduled tasks to persist on a machine, and manipulating the Windows registry. Once running on an infected device, it uses multiple techniques for lateral movement, employs the Cobalt Strike penetration-testing framework, or deploys ransomware. The FBI last year warned that Qakbot trojans were delivering ProLock, a “human-operated ransomware” variant. It was a worrying development because computers infected with Qakbot on a network must be isolated because they’re a bridge for a ransomware attack.Microsoft notes MSRA.exe and Mobsync.exe have been used by Qakbot for this process injection in order to run several network ‘discovery’ commands and then steal Windows credentials and browser data. Qakbot’s Cobalt Strike module lends itself to other criminal gangs who can drop their own payloads, such as ransomware. Per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021). “Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads,” Microsoft notes. “Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor.”Microsoft’s recommended mitigations to minimize Qakbot’s impact include enabling Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning Windows Antimalware Scan Interface (AMSI) on. AMSI is supported by Microsoft Defender antivirus and several third-party antivirus vendors. AMSI support for Excel 4.0 macros arrived in March, so it’s still a relatively new feature.   More

Singapore and the UK have wrapped up negotiations on a digital economy agreement that focuses on digital trade, data flows, and cybersecurity. Under the pact, both nations will look to establish, amongst others, interoperable systems for digital payments, secured data flows, and digital identities, as well as collaborate on cybersecurity. When formally inked, the digital economy agreement would be Singapore’s third following two others it signed with Chile and New Zealand as well as Australia. The UK agreement included “binding disciplines” of the digital economy such as data, and cooperation in emerging areas including artificial intelligence, fintech, digital identities, and legal technology. 

Common digital systems, for instance, would be put in place to facilitate e-payments, e-invoicing, and other electronic documents such as bills of lading. The goal here was to drive faster and cheaper transactions, reducing costs for businesses in both markets. internThe two countries also would look to enable trusted data flows and data protection for various functions, including financial services. In addition, a “trusted and secure digital environment” would be critical to drive and safeguard participation for both businesses and consumers. For example, private cryptography keys and embedded algorithms would help secure an organisation’s source codes, while consumers should be protected against fraudulent and deceptive online behaviour. For a start, government agencies from both sides last week signed three Memoranda of Understanding (MOUs) in digital trade, digital identities, and cybersecurity. Collectively, these aimed to facilitate cross-border services between Singapore and the UK, which bilateral trade services tipped at SG$22 billion ($16.02 billion) in 2019. 

Some 70% of the UK’s cross-border services exports to Singapore in 2019 also were digitally processed, totalling £3.2 billion ($4.23 billion). The UK is Singapore’s largest services trading partner in Europe and the Asian economy’s second-largest European investor and European investment destination, with more than SG$100 billion ($72.81 billion) of UK investment stock in Singapore. Under the digital trade MOU, a scheme would be piloted to simulate the transfer of electronic bills of lading, with the aim to ease cross-border trade transactions. Digitalising this process helped cut cost and transaction time as well as reduce fraud. The MOU on digital identities looked to develop mutual recognition and interoperability between both countries’ digital identity regimes. The goal here was to establish more reliable identity verification and more quickly process applications. In cybersecurity, the two nations hoped to build on a shared goal of “addressing international challenges” and promoting bilateral collaboration to bolster cybersecurity, including in Internet of Things (IoT), capacity building, and cyber resilience.Singapore’s Minister-in-charge of Trade Relations S. Iswaran said: “Singapore’s digital economy agreements build on and enhance the economic connectivity established through our extensive network of free trade agreements. Reflecting our shared ambition, the UK-Singapore Digital Economy Agreement builds upon and, in some areas, goes further than our existing agreements. It will set a global benchmark for high-standard digital trade rules and benefit people and businesses in our two countries.”Negotiations for the Singapore-UK digital trade agreement kicked off in June 2021. RELATED COVERAGE More

A parliamentary joint committee is currently considering whether social media platforms should be regulated as carriage service providers given the amount of communications and content sent through them. Various experts have submitted to the committee that social media platforms like Facebook are of such a significant scale and are so uniquely pertinent to the problem of online child exploitation that they should be subject to additional scrutiny, such as being regulated as carriage service providers. The considerations are part of the Parliamentary Joint Committee on Law Enforcement’s inquiry into Australia’s law enforcement capabilities in relation to child exploitation. During a joint parliamentary hearing on Friday, Meta told the committee that it believes Australia’s framework for law enforcement working with social media platforms to detect child abuse material is already sufficient, and that the additional classification could be redundant. “We’ve set up a dedicated portal, we have dedicated team to liaise with law enforcement, and then we can disclose what we call basic subscriber information data quite quickly through that process. We obviously have emergency channels if there’s any threat to life; either we proactively disclose or law enforcement can ask us for assistance through those emergency processes,” said Mia Garlick, Meta Australia New Zealand Pacific Islands public policy director. “So I guess from where [Meta] sits in terms of our engagement with law enforcement, we feel that there is already sort of a good way to get there and so it might not be necessary to sort of tinker with definitions in the Telecommunications Act when we’ve got the ability to work constructively through the existing frameworks.” While the eSafety commissioner said last month that social media platforms have primarily done a good job of removing abhorrent violent material, it noted in its submission to the committee that the approach to detecting and removing child abuse material is different partly due to this type of content primarily being distributed through private communication channels.

The government agency also said that as more social media platforms move towards encrypted communications, this dynamic could effectively create “digital hiding places”. It shared its worry that platforms may also claim they are absolved of responsibility for safety because they cannot act on what they cannot see. eSafety online content manager Alex Ash told the committee yesterday afternoon that a drift towards encrypted communications by major social media platforms would make investigations into serious online child sexual abuse and exploitation more difficult. He did note, however, that in instances where eSafety was able to detect such material on social media platforms, platforms have been cooperative and quick to respond to these flagged materials. To address these concerns regarding the growing shift toward encrypted communications, the committee on Friday sought consultation on the merits of communications to and from minors aged 13-18 being exempt from encryption from a technical standpoint, as well as whether such a framework was technically possible. Meta’s Safety head Antigone Davis said while it may be possible to create a partial encryption system, she believes it would come at the cost of undermining encryption for other individuals engaging on the platform. As a counterpoint, Davis said her company believes it would be possible to build protections into an encrypted service through mechanisms such as enabling the blurring of images, preventing people from being able to contact minors, making it easier for users to report child abuse material, and using non-encrypted information to catch people who proliferate child abuse material. “While they may obfuscate some of what they’re doing, what we do find is that they do leave trails, they do leave what you might think of as prompts. So for example, you may see people have this kind of interest, provoked sexualised comments under minors, or you may see what will look like an innocuous bringing together of lots of photos of minors that appear innocuous … so there are opportunities to actually use those breadcrumbs,” Davis said. Communications Alliance program management director Christiane Gillespie-Jones, who also appeared before the committee, provided a slightly different picture of how encrypted communications could affect law enforcement’s ability to detect child abuse material. While Gillespie-Jones agreed with Meta’s sentiment that encrypted communications were important for user privacy, after being questioned about its impact on detecting child abuse material, Gillespie-Jones acknowledged the possibility that encrypted communications could make certain child abuse material no longer discoverable.In terms of how much more difficulty encrypted communications would add to detecting such material, Gillespie-Jones said this was currently unquantifiable. Related Coverage More

Image: Mashka/Shutterstock
South Australia Treasurer Rob Lucas said on Friday that state government employee data has been exfiltrated as part of a ransomware attack on payroll provider Frontier Software. Lucas said the company has informed government that some of the data have been published online, with at least 38,000 employees and up to 80,000 government employees possibly having their data accessed. The data contained information on names, date of birth, tax file number, home address, bank account details, employment start date, payroll period, remuneration, and other payroll-related information. “We can confirm that no Department for Education employees are affected,” Lucas said in a statement. “The government’s priority is the safety and security of every employee affected by this incident, and we are doing all we can to provide assistance to impacted employees.” Frontier Software has been handling payroll for South Australia since 2001. On its site, the government states it “undertakes regular independent security tests and reviews” of Frontier Software.

Last month, Frontier Software was attacked on November 13 and alerted its customers to what it labelled as a “cyber incident” on November 16. It said its systems were restored on November 17. “To date, our investigations show no evidence of any customer data being exfiltrated or stolen. Whilst the incident resulted in some of Frontier Software’s Australian corporate systems being encrypted, Australian customer HR & Payroll data and systems are segmented from the corporate systems and were not compromised,” it said on November 17. On Thursday, the company sang a different tune. “The ongoing forensic investigation and other response activities conducted by Frontier Software and CyberCX has now confirmed evidence of some data exfiltration from Frontier Software’s internal Australian corporate environment,” it said. “We have not identified evidence of compromise or exfiltration outside this segmented environment. “We have further identified that some of the data exfiltrated from our internal corporate environment relates to a small number of Frontier Software customers. We are now in the process of directly notifying these customers that they may be affected.” During November, the ABC reported Federal Group, the owners of Hobart’s Wrest Point casino, had to make advance payments of AU$250 to staff due to the attack on Frontier Software. Related Coverage More

The Department of Justice sentenced 41-year-old Oleg Koshkin to two years in prison for his work in helping to “conceal” the Kelihos malware and other ransomwares from antivirus software. He was facing up to 15 years in prison. According to the DOJ, Koshkin ran Crypt4U.com, Crypt4U.net, fud.bz and fud.re, websites that helped hackers evade “nearly every major provider of antivirus software.” The tools allegedly enabled malware like Kelihos and others to be undetectable.Koshkin was arrested in California in September 2019 and transported to Connecticut for his trial before being convicted in June on one count of conspiracy to commit computer fraud and abuse and one count of computer fraud and abuse. He was arrested in conjunction with Peter Levashov, the operator of the Kelihos botnet who lived in Estonia. Levashov was detained in Barcelona before being extradited to the US and pleading guilty to a federal charge. His sentencing is next year.Acting US Attorney Leonard Boyle said Koshkin’s websites “provided a vital service to cyber criminals, allowing them to hide their malware from antivirus programs and use it to infect thousands of computers all over the world.” Assistant Attorney General Kenneth Polite Jr. said he “provided a critical service used by cybercriminals to evade one of the first lines of cybersecurity defense, antivirus software.” “Cybercriminals depend on services like these to infect computers around the world with malware, including ransomware,” Polite Jr. said. The DOJ said Koshkin and others marketed their websites by claiming they could be used for malware such as botnets, remote access trojans, keyloggers, credential stealers, and cryptocurrency miners.

“The criminal nature of the Crypt4U service was a clear threat to the confidentiality, integrity, and availability of computer systems everywhere,” FBI agent David Sundberg said in June.Koshkin helped Levashov crypt the Kelihos malware multiple times each day through a system the two created and allowed him to distribute the malware through multiple criminal affiliates. “The Kelihos botnet was used by Levashov to send spam, harvest account credentials, conduct denial of service attacks, and to distribute ransomware and other malicious software,” the DOJ said. “According to evidence presented at Koshkin’s sentencing, Kelihos relied on the crypting services provided by Crypt4U from 2014 until Levashov’s arrest in April 2017; and just in the last four months of that conspiracy, Kelihos infected approximately 200,000 computers around the world.”The DOJ said in their lawsuit that Levashov paid Koshkin $3,000 per month for his services. At its peak, the Kelihos botnet was able to infect at least 50,000 PCs and survived multiple attempts by law enforcement to disrupt it.  In 2017, the FBI, security company Crowdstrike and the Department of Justice started blocking domains associated with the Kelihos botnet, one of the most prolific networks of hacker-controlled computer systems in the world.The network of infected Windows machines was known to send spam emails, distribute ransomware and malware, harvest usernames and passwords and engage in Bitcoin theft and spamming.Levashov is reported to have operated multiple botnets since the 1990s, including Kelihos, Storm, and Waledac.  More

CISA has released a second advisory about several Apache HTTP server vulnerabilities. Cisco sent out a notice about the vulnerabilities in November, explaining that the Apache Software Foundation disclosed five vulnerabilities affecting the Apache HTTP Server (httpd) 2.4.48 and earlier releases on September 16.The IDs are CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438. Cisco noted that one of the vulnerabilities in the mod_proxy module of Apache HTTP Server (httpd) could allow an unauthenticated, remote attacker to make the httpd server forward requests to an arbitrary server. Another could allow an attacker to exploit a vulnerability by sending a crafted HTTP request to a vulnerable device and a successful exploit could allow the attacker to get, modify, or delete resources on other services that may be inaccessible otherwise.Cisco said in November, the Product Security Incident Response Team “became aware of exploitation attempts of the vulnerability identified by CVE-2021-40438.”Cisco said the products that are affected by the vulnerabilities include Cisco Cloud Services Platform 2100, Cisco Wide Area Application Services (WAAS), Cisco Wireless Gateway for LoRaWAN, Cisco TelePresence Video Communication Server (VCS), Cisco Expressway Series, Cisco UCS Manager, Cisco Network Assurance Engine, Cisco UCS Director Bare Metal Agent, Cisco UCS Central Software, Cisco Security Manager, Cisco Prime Optical for Service Providers, Cisco Prime Infrastructure, Cisco Prime Collaboration Provisioning, Cisco FXOS Software for Firepower 4100/9300 Series Appliances, Cisco Policy Suite and the Cisco Firepower Management Center.The company added that it is investigating the following products: Cisco DNA Center, Cisco Unified Communications Domain Manager, Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) and Cisco Smart Net Total Care – On-Premises. 

Some of the fixes are available now but others will be released in February, March, May and June of 2022. Administrators can find product-specific workarounds in the Cisco notice. Casey Ellis, CTO at Bugcrowd, said the vulnerabilities are critical in their impact and appear to be fairly easy to exploit.Netenrich principal threat hunter John Bambenek told ZDNet that what stood out to him about the advisory is that the vulnerabilities were first known in August and an update to Apache was released in September. “Only now has Cisco issued their own advisory and begun the process to remediate the issue in their devices. Open source software makes up key components in many commercial offerings, however, patch and vulnerability management still pose problems, even for large enterprises,” Bambenek said. “Devices with large control over environments the way Cisco devices do really ought to have come with more responsible scrutiny over updates to key components to their products.” More

In a statement released on Thursday, Japanese tech giant Fujitsu attributed a Japanese government data breach earlier this year to its ProjectWEB tool. In May, multiple government agencies — including the Ministry of Land, Infrastructure, Transport, and Tourism; the Cabinet Secretariat; and Narita Airport — were hacked through the software-as-a-service platform. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

A Fujitsu spokesperson at the time confirmed to ZDNet’s Campbell Kwan that there was “unauthorized access to ProjectWEB, a collaboration and project management software, used for Japanese-based projects.” They suspended use of the tool and informed all impacted customers. After an investigation, Fujitsu said on Thursday that it appointed a CISO in October and put in place “measures to prevent reoccurrence… under a new information security management and operation framework.”Fujitsu added that the cause of the incident is still being verified by a committee of internal experts as well as Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which will sign off on releasing any more information about the incident. Fujitsu plans to “introduce a new project information sharing tool that addresses the issues raised by this incident with robust information security measures, including those in line with zero-trust practices, and will be migrating project management tasks to the new tool.”Japanese news outlets said more than 75,000 emails from the Ministry of Land, Infrastructure, Transport, and Tourism were leaked in the attack in May. Information on business partners, employees, and the inner workings of government cybersecurity services, as well as Narita Airport, were also stolen during the attack.  

Today’s news was first reported by Bleeping Computer.  More

DevOps security firm JFrog discovered 17 new malicious packages in the npm (Node.js package manager) repository that intentionally seek to attack and steal a user’s Discord tokens.Shachar Menashe, senior director of JFrog security research, and Andrey Polkovnychenko said the packages intentionally seek to hijack a user’s Discord token, effectively giving them full control over the user’s account.”This type of attack has severe implications if executed well and in this case public hack tools made such an attack easy enough for even a novice hacker to perform,” Menashe said. “We recommend organizations take precaution and manage their use of npm for software curation, to reduce the risk of introducing malicious code into their applications.”The two explained that the packages’ payloads are varied, ranging from infostealers to full remote access backdoors. They added that the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality.The packages have been removed from the npm repository and the JFrog security research team said they were taken down “before they could rack up a large number of downloads.”JFrog noted that there has been an increase in malware aimed at stealing Discord tokens due to the fact that the platform now has more than 350 million registered users and can be used as anonymous command & control (C2) servers and for social engineering purposes. “Due to the popularity of this attack payload, there are quite a lot of Discord token grabbers posted with build instructions on GitHub. An attacker can take one of these templates and develop custom malware without extensive programming skills – meaning any novice hacker can do this with ease in a matter of minutes,” the researchers explained. 

“As mentioned, this can be used in tandem with a variety of online obfuscation tools to avoid basic detection techniques. It’s important to note these payloads are less likely to be caught by antivirus solutions, versus a full-on RAT backdoor, since a Discord stealer does not modify any files, does not register itself anywhere (to be executed on next boot, for example) and does not perform suspicious operations such as spawning child processes.”Their report on the situation notes that JFrog has found a “barrage of malicious software hosted and delivered through open-source software repositories,” adding that public repositories like PyPI and npm have become a handy instrument for malware distribution.”The repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector,” the researchers said. The Record explained that npm does not manually review package uploads, giving cybercriminals free reign to upload whatever they want.John Bambenek, principal threat hunter at Netenrich, said cybersecurity experts have seen for a while attempts to insert malicious code or set up malicious libraries into PyPI and npm for some time. “Automation is the next logical step for the attackers to increase the number of victims they have control of,” Bambenek said. “The malicious code usually is not in place for very long, but if you do it at scale, odds are you are collecting victims at a rapid pace.” More