Information Technology

The Pysa ransomware group dumped dozens of victims onto their leak site this week right after US law enforcement officials announced a range of actions taken against ransomware groups. 

More than 50 companies, universities, and organizations had their names added to the ransomware group’s leak site. The group, which also goes by the name Mespinoza, was called out by the FBI in March for specifically targeting “higher education, K-12 schools, and seminaries.” The FBI said at least 12 educational institutions across the US and UK had been hit with the ransomware. The French National Agency for the Security of Information Systems issued a similar alert one year earlier.Multiple ransomware experts questioned the timing of the leak, noting that Pysa has a penchant for waiting to add victims to their leak site. Recorded Future ransomware expert Allan Liska told ZDNet he did not think all of the victims published to the site were new.”We have seen them take six months, and even longer, from when a victim is first hit to when [stolen data] is published,” Liska said. “This could be all the victims they have been stalling on publishing data, but it would represent more victims than we have seen from them the rest of the year. It is a lot of different organizations, from around the world, with no theme.” Emsisoft threat analyst Brett Callow told ZDNet that Pysa names and shames its victims weeks, or sometimes months, after the attacks take place, differentiating it from other ransomware groups. 

The reason they waited this long to leak victim information is still unclear, he said, adding that it was curious they dumped this many names all at once. A sample from the leak site.
Brett Callow
The dump came as law enforcement in the US, Europe, and other regions took forceful measures against a number of ransomware groups. US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the members of the REvil ransomware group as well as sanctions against organizations helping ransomware groups launder illicit funds.US agencies have been working with Europol, Eurojust, Interpol, and other law enforcement organizations on “Operation GoldDust” to disrupt multiple ransomware groups over the past six months. Seventeen countries have been involved in the effort, and dozens of people have been arrested across Europe in connection with ransomware groups.This all followed an operation to take down REvil’s infrastructure that led to the group closing shop for the second time. Both Callow and Liska said the timing of the Pysa’s dump was curious considering the actions being taken by law enforcement.”You can’t help but wonder whether their doing so now is in response to the news in relation to REvil — either a middle finger to law enforcement or, perhaps, an expression of confidence in case any of their affiliates are starting to get cold feet,” Callow told ZDNet. Liska echoed that it felt like Pysa was “giving the finger” to law enforcement after a bad day for ransomware groups. The FBI said in its March notice that Pysa, which was first seen in 2019, is known for exfiltrating data from victims before encrypting their systems “to use as leverage in eliciting ransom payments.”They noted that in addition to attacks on educational institutions, Pysa has also gone after foreign government entities, educational institutions, private companies, and the healthcare sector. “In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom,” the FBI said in the notice. “The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. However, in the past, actors have used other methods of exfiltrating data that leaves less evidence of what was stolen.”Emsisoft released a profile of the ransomware group in July, noting that they operate with the ransomware-as-a-service business model and routinely dump stolen data “even after the victim company has paid the ransom.”They warned victims about cooperating with the group, explaining that Emsisoft’s decryption tool “can safely decrypt data encrypted by Mespinoza, provided the victim has obtained the decryption keys.””Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files,” Emsisoft researchers wrote in July. “We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations.” More

Costco has sent out breach notification letters to an unknown number of victims after multiple people took to social media to complain about fraudulent charges connected to the company.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

First reported by Bleeping Computer, the letter says payment card information was compromised through a card skimming device at certain Costco locations. “We recently discovered a payment card skimming device at a Costco warehouse you recently visited. Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating,” Costco said in the letter. “If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date and CVV. We recommend that you check your most recent bank and or credit card statement related to the card above for charges unauthorized by you.”The company said they discovered the card skimmer after an inspection of its pin pads and said law enforcement has been contacted. The letter added that even if victims have not seen any suspicious charges, they should still call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used. Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.

The letters come after people wrote on Twitter and Reddit that they had discovered fraudulent charges on their Costco cards and accounts. Some said they began noticing the charges after using their card at Costco gas stations. “Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote. “That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”Card skimmers are a persistent problem on both physical terminals and online e-commerce portals. The problem is so common that Cloudflare created a web security tool to prevent Magecart-style attacks in March.CRITICALSTART CTO Randy Watkins said these types of physical data theft is typically very isolated, noting that most card skimming devices are used on everything from gas pumps to ATMs, and are typically isolated, only posing a threat to patrons of the breached device. “The data that the attacker can obtain from the magnetic strip on a card actually depends on the card itself. While things like the credit card number, full name, expiration, and country code is universal, other cards can contain additional information like billing address or rewards account numbers. Consumers should make a habit of checking card slots for any foreign devices (internal or external) before swiping their card,” Watkins told ZDNet. Armen Najarian, chief identity officer at Outseer, said the Costco breach underscores the urgency for better payment security anywhere a transaction happens. “As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes,” Najarian said.  “All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide. More

ZDNet Recommends

Google’s Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people.  Apple patched the bug, tracked as CVE-2021-30869, in a macOS Catalina update in September, about a month after Google TAG researchers found it being used.  “A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild,” Apple said, crediting Google TAG researchers with reporting the flaw. See also: A winning strategy for cybersecurity (ZDNet special report).Now Google has provided more information, noting that this was a so-called “watering hole” attack, where attackers select websites to compromise because of the profile of typical visitors. The attacks targeted Mac and iPhone users.  “The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server — one for iOS and the other for macOS,” said Erye Hernandez of Google TAG.  The watering hole served an XNU privilege escalation vulnerability at that point unpatched in macOS Catalina, which led to the installation of a backdoor.

“We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” he added.  The attackers were using the previously disclosed flaw in XNU, tracked as CVE-2020-27932, and a related exploit to create an elevation of privilege bug that gave them root access on a targeted Mac.  Once root access was gained, the attackers downloaded a payload that ran silently in the background on infected Macs. The design of the malware suggests a well-resourced attacker, according to Google TAG.  “The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules,” notes Hernandez. See also: Cloud security in 2021: A business guide to essential tools and best practices.The backdoor included the usual-suspect traits of malware built for spying on a target, including device fingerprint, screen captures, the ability to upload and download files, as well as execute terminal commands. The malware could also record audio and log keystrokes.  Google didn’t disclose the websites targeted but noted that they included a “media outlet and a prominent pro-democracy labor and political group” related to Hong Kong news. More

Microsoft has flagged a relatively new style of attack, dubbed “HTML smuggling”, which is being used in email campaigns that deploy banking malware and remote access Trojans (RATs), and as part of targeted hacking attacks.HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. It’s a “highly evasive” malware delivery technique that uses legitimate HTML5 and JavaScript features warns the Microsoft 365 Defender Threat Intelligence Team. 

ZDNet Recommends

It’s a nasty trick that bypasses standard network perimeter security, such as web proxies and email gateways, since the malware is built inside the network after an employee opens a web page or attachment with the malicious HTML script. So, a company’s network can be hit even if gateway devices check for suspicious EXE, ZIP, or Office documents. SEE: A winning strategy for cybersecurity (ZDNet special report)”When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” Microsoft warns. It’s a practical attack technique because most businesses use HTML and JavaScript to run their business apps. The problem is that there’s been a recent surge in HTML smuggling attacks because cybercriminal groups behind banking malware like Trickbot, RATs and other malware are learning from state-sponsored attackers. The style of attack is notable because it’s been used by Kremlin-backed hackers – tracked by Microsoft as Nobelium. Since then, it has been adopted by cybercriminals. 

And HTML smuggling is an effective technique because the web is vital to business operations. Organizations, for example, can disable JavaScript in the browser, but it’s widely known to be an impractical approach because language is ubiquitous on the web. Microsoft has tried to tighten up Edge security with its Super Duper Secure Mode that turns off the JavaScript JIT compiler. Google also regularly fixes potent bugs in Chrome’s V8 JavaScript engine.  “Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages,” Microsoft explains. “In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection.”SEE: The IoT is getting a lot bigger, but security is still getting left behindMicrosoft has found that between July and August there was an uptick in HTML smuggling in campaigns that deliver RATs such as AsyncRAT/NJRAT.”In September, we saw an email campaign that leverages HTML smuggling to deliver Trickbot. Microsoft attributes this Trickbot campaign to an emerging, financially motivated cybercriminal group we’re tracking as DEV-0193,” says Microsoft.  More

US President Joe Biden on Thursday signed into law bipartisan legislation that will ban companies like Huawei and ZTE from getting approval for network equipment licences in the US. The legislation, Secure Equipment Act of 2021, will require the Federal Communications Commission (FCC) to adopt new rules that clarify it will no longer review or approve any authorisation applications for networking equipment that pose national security threats. Last year, the FCC formally designated Huawei and ZTE as national security threats, with that decision being made as the agency found that both companies had close ties to the Chinese Communist Party and China’s military apparatus. Since March, FCC commissioner Brendan Carr has made repeated calls for the legislation to be passed, saying at the time that the FCC has authorised 3,000 applications for Huawei networking equipment to be used. “Once we have determined that Huawei or other gear poses an unacceptable national security risk, it makes no sense to allow that exact same equipment to be purchased and inserted into our communications networks as long as federal dollars are not involved. The presence of these insecure devices in our networks is the threat, not the source of funding used to purchase them,” Carr said at the time. Besides Huawei and ZTE, other Chinese companies flagged as national security threats are Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. At the end of last month, the FCC also removed the authority for China Telecom to operate in the US, with the telco required to pack its bags and stop providing domestic and international services by the end of Christmas.

Citing a recommendation from the Trump-era Justice Department, the Commission said China Telecom America “failed to rebut” a series of concerns raised. “China Telecom Americas, a US subsidiary of a Chinese state-owned enterprise, is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the FCC said. With the US clampdown especially focused on Huawei, alongside other countries following suit, the Chinese tech giant reported a steep decline in its first-half revenue, with its business to the end of June reporting 320 billion yuan in sales, compared to 454 billion yuan at this time last year. In providing the financial results, rotating chair of Huawei Eric Xu said the aim of the company moving forward would be to survive sustainably.   Related Coverage More

Missouri’s Department of Elementary and Secondary Education (DESE) has apologized to the 620,000 past and present educators who had their sensitive information — including their social security numbers — exposed on the DESE certification database.

Black Friday Deals

Missouri’s Office of Administration Information Technology Services Division (OA-ITSD) and the DESE will send out letters to those affected notifying them that their personally identifiable information “may have been compromised during a recent data vulnerability incident.”The situation caused national headlines last month because the governor of the state used the incident to attack The St. Louis Post-Dispatch. Josh Renaud, a reporter from the newspaper, discovered a vulnerability in the certification database that exposed teacher data, notified the DESE, and gave them time to fix it before publishing his story. But Missouri Governor Mike Parson claimed Renaud had “hacked” the database himself and threatened legal charges against the reporter. Since being ridiculed by cybersecurity professionals — and even members of his own party — Parson has used the incident to fundraise for himself, bringing in about $85,000 thanks to an ominous video doubling down on the hacking accusations, according to the Post-Dispatch. But DESE officials, alongside members of OA-ITSD, apologized this week to the teachers who had their data exposed and offered 12 months of credit and identity theft monitoring resources through IDX. “Educators have enough on their plates right now, and I want to apologize to them for this incident and the additional inconvenience it may cause them,” said Commissioner of Education Margie Vandeven. “It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.”

The state claims it is “unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident.” But officials said that “out of an abundance of caution,” they wanted to provide teachers with some protection. Those who may have been affected by the issue can contact the IDX Call Center at 833-325-1777.DESE explained that Renaud said he was able to view the social security numbers of certain teachers “through a multi-step process” that involved accessing the certification records of at least three educators and then taking the encoded source data from that webpage and “decoding that data.””Educators’ PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once. Upon verification of the threat, DESE immediately notified OA-ITSD who immediately disabled the educator certification search tool,” the state said. “The services offered through IDX will cost the state approximately $800,000. The state was able to take advantage of an existing multi-state contract with this vendor, which significantly lowered the cost for the credit and identity theft monitoring services.”Parson originally claimed during a press conference that the incident would cost the state $50 million as opposed to the $800,000 that is now being spent. Despite the ridicule Parson got from cybersecurity experts, the Missouri Highway Patrol-led investigation into the incident is still ongoing.  More

The Brazilian government has created a special commission aimed at tackling electronic fraud.

Created by the Ministry of Justice (MoJ) under the National Consumer Defense Council, the commission will include representatives of antitrust regulator Cade, as well as the National Confederation of Commerce, the consumer defense bodies from the states of São Paulo, Tocantins and Porto Alegre, the Federal Public Defender’s Office, and the the Central Bank. This commission follows the recent creation of a working group, which is providing an assessment of the current online fraud landscape. The working group has the involvement of bodies such as the Brazilian Federation of Banks (Febraban) and the Central Bank.According to the MoJ, the working group will publish a final report listing proposals for combatting online fraud. The group is also due to meet with the National Data Protection Authority.In September, the MoJ started negotiations with Febraban about creating a National Cybercrime Strategy. According to Febraban, the discussions are informed by the National Strategy Against Corruption and Money Laundering, which is led by the Ministry of Justice and has been in place since 2003.The idea is to “expand the identification and repression” of the actors responsible for cybercrimes, the commission said. Other goals include jointly developing platforms for sharing fraud data, training security forces in cybersecurity and digital fraud issues, and leading public awareness campaigns on cyber risks and fraud. More

US Vice President Kamala Harris said the US will be joining the Paris Call for Trust and Security in Cyberspace — a voluntary agreement between more than 80 countries, local governments and tech companies centered on advancing cybersecurity and “preserving the open, interoperable, secure, and reliable Internet.”The announcement was part of a diplomatic trip Harris made to Paris, where she met with French President Emmanuel Macron to discuss a range of issues. Macron spearheaded the creation of the initiative in 2018 and has long sought the inclusion of the US. But the administration of former President Donald Trump refused to join, criticizing it because both China and Russia also were not part of it. In a statement, The White House said the US “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.”  “This includes working with likeminded countries to attribute and hold accountable States that engage in destructive, disruptive, and destabilizing cyber activity. The United States’ decision to support the Paris Call reflects the Biden-Harris Administration’s priority to renew and strengthen America’s engagement with the international community on cyber issues,” The White House explained. “The United States interprets the Paris Call consistent with our existing domestic and international obligations and commitments, including the importance we place on respecting human rights, freedom of expression and privacy. This announcement builds on the United States’ continuing work to improve cybersecurity for our citizens and business, including rallying G7 countries to hold accountable nations that harbor cyber criminals, supporting the update of NATO cyber policy for the first time in seven years, and the recent counter-ransomware engagement with over 30 countries around the world to accelerate international cooperation to combat cybercrime.”The Paris Call is made up of nine principles, which include protecting individuals and infrastructure, protecting the internet, defending electoral processes, defending intellectual property, the non-proliferation of malicious software, lifecycle security, cyber hygiene, banning private actors from “hacking back,” and implementing international norms “of responsible behavior.”

The effort has already led to some changes across Europe and South America that allowed for tougher cybersecurity measures around emergency phone systems, the protection of domain name systems, more prominent bug bounty programs and more. Before Harris left for Paris, two senior leaders in Congress — Senate Foreign Relations Committee chairman Robert Menendez and House Foreign Affairs Committee chairman Greg Meeks — wrote a letter to her urging for the US to join the Paris Call. “Given the recent surge of ransomware and other cyberattacks against the United States and our partners and allies, the Forum’s work on cybersecurity is essential. Cybersecurity is a critical economic and national security imperative, and confronting this challenge will require comprehensive and sustained US engagement with a wide range of stakeholders,” the two wrote. “In particular, private-sector companies play an increasingly significant role, including through the Paris Peace Forum and its Paris Call for Trust and Security in Cyberspace. We welcome your commitment to engage with our allies and partners, private-sector companies, and other important stakeholders at the Paris Peace Forum.” More