Information Technology

Image: Telstra
Telstra and its CEO Andy Penn have a policy to never pay ransom, with the chief saying at the National Press Club (NPC) on Thursday that it never ends well. “I can certainly see in situations where businesses are tempted to do so. Their whole business livelihood could be at threat from a ransomware attack. But candidly, it’s hard to see how that is ever going to end well,” he told ZDNet. “If you pay a ransom, obviously you’re sending a signal to criminals that that’s something that you’d be willing to do.” Apart from inviting further attacks, Penn said there was no guarantee the other party was trustworthy and the best defence was having recent offline backups, good password management, and proper patching. “Prevention, frankly, is much better than trying to solve it after the event, but certainly our policy position would be not to pay ransoms.” Penn said during his speech that Telstra has helped 17 of its enterprise customers over the past year recover from ransomware attacks, and that a number of “very senior individuals who are customers of Telstra” were targeted by business email compromise (BEC) scams. “Once the attack starts, it is very persistent,” Penn said on the BEC attacks.

On whether companies should be disclosing attacks, the CEO said a disinclination still existed not to disclose attacks, but he noted that some businesses have seen benefits from being transparent. “Companies that are transparent in dealing with it, recognising it, and communicating with their customers are actually building more trust with their customers,” he said. “Because one thing that I think we have to take into account is often what will happen is if an organisation is hacked, and data is stolen, the issue with that data, is that data is usually data that belongs to that company’s customers as opposed to necessarily itself — and it is those customers who are best able to understand the risks associated with that data being disclosed on the dark web, and so you need to communicate with those customers as quickly as possible.” Although currently preferring a carrot to a stick on the issue of whether company directors should be held legally responsible for cyber breaches, Penn said a line did exist. “Ultimately, in egregious situations, where the exposure to cyber risk is seriously potentially a threat to national security or it’s a threat to health or safety, or otherwise, and there has been complete sort of negligence towards ensuring that there are some basic cyber defences in place, then I think directors obviously have to be responsible,” he said. “As they are in other situations, whether it’s in health and safety, or in doing business responsibly and acting in a fair and non-misleading way.” Liberal MPs misunderstand how the free market operates for political gain Penn saved some of his most stinging criticism on Thursday for calls that the company should boost its spending in regional Australia following the sale of 49% of its tower business. At the time of the announcement in June, Telstra said it would be using AU$75 million from the sale to increase coverage in regional Australia and handing 50% of the net proceeds back to shareholders. Speaking to the NPC, Penn said the deal was a way of raising capital, and generating returns for its shareholders, the majority of which are the nation’s superannuation funds. He then pointed to the company’s mobile coverage to rebut claims the company was not spending money in regional areas. “Telstra invests more than anybody in regional and rural Australia — we’ve spent about AU$5 billion, literally, over the last three or four years. In fact, I announced a further AU$500 million in recent weeks investing in regional and rural Australia,” he said. “Those members of Parliament, I think, are confusing their own government policy and their own obligations — which tells you we’re a private enterprise, we’re there to work with and to help and support investment, and we are investing very significantly. We invested overwhelmingly in the mobile blackspots program, more than the rest of the industry put together. We were the only major operator to support the Regional Connectivity Program. “It is, unfortunately a fact that not every part of Australia will receive mobile coverage.” Penn said while the landmass of Australia is around 7.8 million square kilometres, and the company’s network reaches 2.5 million square kilometres, it was a million square kilometres more than second-placed Optus. “The bottom line is, we’re not going to be able to cover every square inch of Australia. That is a reality, and unfortunately those members of Parliament need to come to terms with that reality,” Penn said. “The other point I should say as well, is that in certain electorates, we actually have plans in place to put towers in, but unfortunately those members have not been able to actually get their own local councils to approve the planning permits to get the job done. “I have said this previously with a couple of these individuals, that they need to go and have a walk down the corridor of Parliament house and talk to their colleagues, not to Telstra. In response, Penn was asked whether some Liberal members of Parliament did not understand how the free market worked.”Either that or they choose not to, because it’s politically helpful for them to say the comments that they say,” Penn replied. Related Coverage More

After introducing Fleets in November, Twitter is set to bin the disappearing content idea on August 3. Reasoning provided by the company in a blog post explained Fleets was intended to promote new people to contribute, but that did not happen. “Although we built Fleets to address some of the anxieties that hold people back from tweeting, Fleets are mostly used by people who are already Tweeting to amplify their own Tweets and talk directly with others.” the company said. “We’ll explore more ways to address what holds people back from participating on Twitter. And for the people who already are tweeting, we’re focused on making this better for you.” Responding to a Fleet was only possible via direct message. Twitter said it would test bringing elements from the Fleet composer into its standard tweet composer, such as full-screen camera, text formatting options, and GIF stickers. Instead of seeing Fleets at the top of user timelines, Twitter said the space would be occupied by Spaces.

“If we’re not evolving our approach and winding down features every once in a while — we’re not taking big enough chances,” the blog post said. “We’ll continue to build new ways to participate in conversations, listening to feedback and changing direction when there may be a better way to serve people using Twitter.” Earlier this week, the company said it had enabled users to change who could reply to a tweet after it was posted, users previously had to select who could reply before posting. Japan and India lead world in throwing legal requests at Twitter Twitter on Wednesday released its latest transparency report for the half year to December 31, highlighting it received over 38,500 legal demands to remove content from almost 132,000 accounts. Those demands has a 30% success rate. “Although there was a 9% decrease in the number of legal demands Twitter received, compared to the previous reporting period, these requests sought removal of content from the largest number of accounts ever in a single reporting period,” the company said. “Accounts of 199 verified journalists and news outlets from around the world were subject to 361 legal demands, a 26% increase in these requests since the previous reporting period.” Twitter said 94% of legal requests were from five countries: Japan, India, Russia, Turkey, and South Korea. Japan accounted for 30% of legal requests, almost 55,600, with India making over 12,400 demands. Japan’s strike rate against the 67,400 accounts it targeted was 31.6%, while India specified 48,300 accounts but was only sucessful 12.4% of the time. See also: With Modi squeezing Twitter, India’s love for big tech may be ending The number of legal requests from Japan was down 10% from its previous high for the first half of the 2020 calendar year. “The 16,649 requests from Japan were primarily related to laws regarding narcotics and psychotropics, obscenity, or money lending,” Twitter said. “The next highest volume of legal demands came from India, comprising 18% of global legal demands and representing a 152% increase from the previous reporting period. Notably, the number of accounts specified in requests from India also increased by 45% this reporting period.” India was the country with the highest number of legal demands against journalists and news outlets, while South Korea issued four legal demands over content on Vine alleging breaches of privacy and sexual misconduct. Twitter said it removed that content. The company listed multiple examples where it did not take action. “Twitter received multiple legal demands from Hong Kong police in relation to allegations of unlawful and obscene activities against members of law enforcement. No actions were taken as the content did not violate Twitter’s [terms of service],” it said. “Twitter received a legal demand from the Malaysian Communications and Multimedia Commission for alleged hate speech violations under Malaysia’s Penal Code. No action was taken as the account shared newsworthy content and remained compliant with Twitter’s parody, Newsfeed, commentary, and fan account policy.” The company added it received legal demands from Sri Lanka and Saudi Arabia that it did not act on, as well as not acting to two Thai court orders. Indonesia did slightly better on a wide-ranging demand. “Twitter received a legal demand for 60,472 accounts from Indonesia’s Ministry of Communication and Information Technology for violating their Electronic Information and Transaction Law, Number 11 Year 2008. More than 90% of the reported content was determined not to violate Twitter’s [terms of service].” Related Coverage More

Google has released new details about four zero-day security vulnerabilities that were exploited in the wild earlier this year. Discovered by Google’s Threat Analysis Group (TAG) and Project Zero researchers, the four zero-days were used as part of three targeted malware campaigns that exploited previously unknown flaws in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple’s Safari.

Google’s researchers also noted that 2021 has been a particularly active year for in-the-wild zero-day attacks. So far this year, 33 zero-day exploits used in attacks have been publicly disclosed — 11 more than the total number from 2020. Google attributes some of the uptick in zero-days to greater detection and disclosure efforts, but said the rise is also due to the proliferation of commercial vendors selling access to zero-day vulnerabilities as compared to the early 2010s.”0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” Google said in a blog post. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise, now they just need resources. Three of the four 0-days that TAG has discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors.”As for the zero-days discovered by Google, the exploits include CVE-2021-1879 in Safari, CVE-2021-21166 and CVE-2021-30551 in Chrome, and CVE-2021-33742 in Internet Explorer.With the Safari zero-day campaign, hackers used LinkedIn Messaging to target government officials from western European countries, sending malicious links that directed targets to attacker controlled domains. If the target clicked on the link from an iOS device, the infected website would initiate the attack via the zero-day.”This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP,” Google TAG researchers said. “The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.”

Google researchers said the attackers were likely part of a Russian government-backed actor abusing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7). Google’s security team reported the zero-day to Apple, which issued a patch on March 26 through an iOS update. The two Chrome vulnerabilities were renderer remote code execution zero-days and are believed to have been used by the same actor. Both of the zero-days were targeting the latest versions of Chrome on Windows and were delivered as one-time links sent via email to the targets. When a target clicked the link, they were sent to attacker-controlled domains and their device was fingerprinted for information that the attackers used to determine whether or not to deliver the exploit. Google said all of targets were in Armenia. With the Internet Explorer vulnerability, Google said its researchers discovered a campaign targeting Armenian users with malicious Office documents that loaded web content within the browser.”Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world,” Google said.Google also published root cause analysis for all four zero-days: More

Networking device maker SonicWall sent out an urgent notice to its customers about “an imminent ransomware campaign using stolen credentials” that is targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware. In addition to the notice posted to its website, SonicWall sent an email to anyone using SMA and SRA devices, urging some to disconnect their devices immediately. They worked with Mandiant and other security companies on the issue, according to the release. “The exploitation targets a known vulnerability that has been patched in newer versions of firmware. SonicWall PSIRT strongly suggests that organizations still using 8.x firmware review the information below and take immediate action,” the company said, noting that this was for those with the SMA 100 and the older SRA series.SonicWall urged their users to update to the latest available SRA and SMA firmware, explaining that those who don’t deal with the vulnerabilities are “at imminent risk of a targeted ransomware attack.”Anyone using SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016) or SSL-VPN 200/2000/400 (EOL 2013/2014) should disconnect their appliances immediately and change all associated passwords. “Organizations using the following end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances per guidance below. If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation,” SonicWall said.  “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk. To provide a transition path for customers with end-of-life devices that cannot upgrade to 9.x or 10.x firmware, we’re providing a complimentary virtual SMA 500v until October 31, 2021.”

SonicWall added that customers “should also immediately reset all credentials associated with your SMA or SRA device, as well as any other devices or systems using the same credentials.”Two weeks ago, SonicWall announced a vulnerability in their Network Security Manager that was discovered by Positive Technologies and another with its VPN Portal in June. SonicWall did not respond to questions about which ransomware groups were targeting the vulnerability, but earlier this year, researchers with NCC Group’s Incident Response team discovered a new variant of the FiveHands ransomware targeting SonicWall. Cybersecurity firm FireEye said more than 100 organizations were targeted and some may have been infected even though SonicWall patched the SMA 100 series remote access product vulnerability in February 2021. In a statement to ZDNet, SonicWall said, “Threat actors will take any opportunity to victimize organizations for malicious gain. This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021.” “SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance. Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats,” the statement said. “The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk.” More

As the price of cryptocurrency increases so does the volume of illicit mining detected in the wild, researchers say. 

Cryptocurrency has become a favored means for many threat actors to monetize cyberattacks. While, perhaps, the most well-known application of crypto including Bitcoin (BTC), Ethereum (ETH), and Monero (XMR) in the criminal realm is when ransomware payments are made, more covertly, cryptocurrency mining is also a problem.  Cryptocurrency mining malware, when deployed on PCs or unsecured servers, quietly siphons away computing resources to generate virtual currency which is then sent to wallets controlled by its operators.  Also known as cryptojacking, the most common forms of this malware — which may start out as legitimate programs before being twisted for criminal purposes — in the wild include Coinhive, Jsecoin, XMRig, and Cryptoloot.  Cyberattackers will look for the best returns for their time, and in an examination of the topic published on Wednesday, researchers from Cisco Talos attempted to define the links between cryptojacking rates and cryptocurrency prices.  Monero was chosen as the cryptocurrency of interest and cryptomining activity for this coin, against its value, between November 2018 and June 2021, was analyzed. “Monero is a favorite for illicit mining for a variety of reasons, but two key points are: It’s designed to run on standard, non-specialized, hardware, making it a prime candidate for installation on unsuspecting systems of users around the world, and it’s privacy-focused,” the researchers say.

Talos notes that while the value of this cryptocurrency has fluctuated over the years — indeed, like many others — its price increased from late 2020 to now, when it has experienced a pullback.  The researchers then applied network-based cryptojacking detection tools which monitored Monero in millions of events associated with cryptocurrency mining.  According to the team, not only were they “floored” to see how much more common cryptojacking is since 2018, but also, outside of the price drop in early 2021, “the graph tracks almost identically to the value of the currency.”
Cisco Talos
“This was honestly a pretty surprising correlation since it’s believed that malicious actors need a significant amount of time to set up their mining operations, so it’s unlikely they could flip a switch overnight and start mining as soon as values rise,” Talos says. “This may still be true for some portion of the threat actors deploying miners, but based on the actual data, there are many others chasing the money.”However, considering crackdowns on cryptocurrency mining and trading around the world, if the cryptojacking environment becomes more difficult or less lucrative, it is entirely possible that threat actors will turn their attention to the next big thing.  “Detection for cryptomining can be spread into a variety of different places including blocking mining-related domains, to enforcing limitations on the end system preventing the mining from starting and lots of network-based detection, which this research is based on,” Talos says. “Regardless of the detection point, organizations should be working to prevent it.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

US prosecutors have charged a Greek national for offering insider trading services to clients through the Dark Web.

According to both the US Department of Justice (DoJ) and the Securities and Exchange Commission (SEC), Apostolos Trovias is facing criminal charges “in connection with his scheme to solicit and sell stock trading tips and pre-release earnings and deal information regarding public companies.” The charges were unsealed in Manhattan federal court last week. The 30-year-old, operating under the name “TheBull,” has allegedly operated an insider trading business since at least 2016 through the Dark Web and encrypted messaging services, through to early 2021.  Trovias reportedly both obtained and monetized insider information, offering clients data including stock tips based on confidential trading records and pre-release earnings reports.  While the alleged trader began his career on AlphaBay, once the underground marketplace was seized and closed down by law enforcement in 2017, he switched to selling information directly. Tips could be purchased on a pay-as-you-go or subscription basis and Trovias secured approximately 100 clients willing to subscribe to the ‘service.’  According to the SEC, Trovias claimed that order-book data for sale was obtained from an employee of a securities trading firm. One pre-earnings report, for example, was allegedly sold for roughly $5,000 in the Bitcoin (BTC) cryptocurrency. 

In 2020, he also allegedly attempted to create a marketplace dedicated to the sale and exchange of insider information called the “Inside Information Auction Site.”  Trovias is being charged with one count of securities fraud and another count of money laundering. The US takes allegations of insider trading seriously, and so the securities fraud count represents up to 25 years behind bars, whereas money laundering carries a penalty of up to 20 years.  Separately, the SEC has charged the alleged trader with violating antifraud legislation in federal securities laws, and the agency is seeking injunctions, disgorgement, and penalties.  “Behind the veil of the Dark Web, using encrypted messaging applications and emails, Trovias created a business model in which he sold — for profit — proprietary information from other companies, stock trading tips, pre-release earnings, and other inside information, as we allege,” commented FBI Assistant Director William Sweeney Jr. “The FBI operates within the Dark Web too, and as Trovias learned today, we don’t stop enforcing the law just because you commit federal crimes from behind a router with your keyboard.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

SBU
Thousands of PlayStation 4 gaming consoles have been seized after their discovery in an old warehouse, used to illicitly mine for cryptocurrency.

Ukraine’s Security Service said last week that in the city of Vinnytsia, located along the Southern Bug river, there was an abandoned warehouse in its industrial area that once belonged to an electricity company, JSC Vinnytsiaoblenergo.  Upon entry, law enforcement found what it has called the country’s “largest underground cryptocurrency farm.” In total, roughly 3,800 gaming consoles were rigged together and stored on metal racks — and over 500 graphics cards and 50 processors were also found.  The hardware was allegedly used to facilitate cryptocurrency mining, while those apparently responsible stole the electricity required from the city.  Current estimates suggest that the electricity stolen amounts from between $186,200 to $259,300 per month.  Raids took place at the cryptocurrency farm and Ukrainian police also say that searches took place at the “offender’s residences,” where draft notes on electricity usage, notebooks, handsets, and USB storage devices were also seized. 

In a statement (translated), JSC Vinnytsiaoblenergo said that “our company has nothing to do with any illegal activity,” and “cryptocurrency mining equipment has never operated in the premises owned by our company.” The utility company also added that there was no evidence of the theft of electricity. The investigation was conducted by Ukrainian law enforcement agencies under the supervision of the Prosecutor General’s Office.  In a separate but notable cryptocurrency farm plot, back in 2019, Chinese law enforcement uncovered cables hidden in fish ponds that were used to connect to an oil rig’s electrical grid. Active Bitcoin (BTC) rigs were found hidden in a shed after drones were deployed to track down the perpetrator.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Mozilla
Firefox 90 appeared from Mozilla this week, and one of the new features that arrived was better support for logging in using Facebook credentials when the browser is in strict tracker blocking mode, or a private window. SmartBlock first appeared in Firefox 87, released in March, and it provided local stand-ins for blocked third-party tracking scripts. “These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact,” Mozilla said at the time. One area where SmartBlock failed though, was supporting Facebook login buttons across the web. In a blog post, Mozilla explained it was due to Facebook trackers being included on the list of tracker provided by its partner, but the updated SmartBlock 2.0 should fix this. “Prior to Firefox 90, if you were using a private browsing window, when you clicked on the ‘Continue with Facebook’ button to sign in, the ‘sign in’ would fail to proceed because the third-party Facebook script required had been blocked by Firefox,” the blog states. “Now, SmartBlock 2.0 in Firefox 90 eliminates this login problem. Initially, Facebook scripts are all blocked, just as before, ensuring your privacy is preserved. But when you click on the ‘Continue with Facebook’ button to sign in, SmartBlock reacts by quickly unblocking the Facebook login script just in time for the sign-in to proceed smoothly.” Mozilla said the new functionality worked on “numerous websites”, and Firefox would continue blocking Facebook trackers on all sites where a user has not logged in.

Users on Windows will now have Firefox updated in the background, with Firefox 90 checking every 7 hours for a new version. To enable background updating, users need to allow for updates to be automatically installed and tick a “When Firefox is not running” checkbox. The feature only works when the browser has been installed from its installer, rather than decompressed from a zip file, and does not have a language pack installed. Although Mozilla said it would gradually roll out the feature, a napp.update.background.scheduling.enabled flag exists for users to turn it on now. Firefox on Windows will also gain an about:third-party page that lists modules, such as anti-virus, that have been injected into the browser and could cause issues. Firefox 90 will also support Fetch Metadata Request Headers to allow web apps to defend against some cross-site attacks. “The HTTP request header Sec-Fetch-Site allows the web application server to distinguish between a same-origin request from the corresponding web application and a cross-origin request from an attacker-controlled website,” Mozilla said. “Inspecting Sec-Fetch-* Headers ultimately allows the web application server to reject or also ignore malicious requests because of the additional context provided by the Sec-Fetch-* header family. In total there are four different Sec-Fetch-* headers: Dest, Mode, Site, and User which together allow web applications to protect themselves and their end users against [cross-site attacks].” The latest edition of Firefox finally marks the end of support for FTP in the browser, and most users who do not have hardware-accelerated WebRender will use software WebRender instead. Related Coverage More