Information Technology

A new ransomware strain that utilizes Golang highlights the programming language’s increasing adoption by threat actors. 

CrowdStrike secured a sample of a new ransomware variant, as of yet unnamed, that borrows features from HelloKitty/DeathRansom and FiveHands. These ransomware strains are thought to have been active since 2019 and have been linked to attacks against the maker of Cyberpunk 2077, CD Projekt Red (CDPR), as well as enterprise organizations.  The sample discovered reveals similar functions to HelloKitty and FiveHands, with components written in C++, as well as the way the malware encrypts files and accepts command-line arguments.  In addition, akin to FiveHands, the new malware makes use of an executable packer that requires a key value to decrypt its malicious payload into memory, including the use of the command-line switch “-key.”  “This method of using a memory-only dropper prevents security solutions from detecting the final payload without the unique key used to execute the packer,” CrowdStrike says.  However, unlike HelloKitty and FiveHands, this new ransomware strain has adopted a packer written in Go that encrypts its C++ ransomware payload. 

According to Intezer, malware utilizing Go was a rare occurrence before 2019, but now, the programming language is a popular option due to the ease of compiling code quickly for multiple platforms and its difficulty to reverse-engineer. Sample rates have increased by approximately 2,000% in the past few years. CrowdStrike’s sample uses the most recent version of Golang, v.1.16, which was released in February 2021.  “Although Golang-written malware and packers are not new, compiling it with the latest Golang makes it challenging to debug for malware researchers,” CrowdStrike notes. “That’s because all necessary libraries are statically linked and included in the compiler binary, and the function name recovery is difficult.” In addition to the use of Go, the sample contains typical functions of ransomware — including the ability to encrypt files and disks, as well as issuing a demand for payment in return for a decryption key.  The ransom note directs victims to a Tor address for a direct chat session with the malware’s operators and also claims to have stolen over 1TB in personal data, which suggests the developers may be attempting ‘double extortion’: if a victim refuses to pay, they are threatened with the leak of their information.   Earlier this month, BlackBerry’s threat research team published a report on ChaChi, a Trojan written in Go that has been used to attack French government authorities, and more recently, the US education sector. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The federal government has thrown AU$8.2 million of its AU$70 million Cyber Security Skills Partnership Innovation Fund at eight projects, with the aim of improving the skills and availability of cybersecurity professionals in Australia.Round one sees La Trobe University walk away with AU$2.35 million to raise awareness to 80,000 high school students about cybersecurity skills and training opportunities. The program will also partner with major industry players to help small businesses grow their skills, the government said.An Australian Cyber Security Growth Network-led project to develop a cybersecurity traineeship program to support about 200 participants into a cybersecurity career also received an undisclosed amount of funding, as did a project led by CSIRO aimed at up-skilling early career researchers in cybersecurity innovation and providing 100 university students with work experience.A Central Regional TAFE-led project to improve the number and quality of cybersecurity trained professionals including women in regional and remote locations in Western Australia will take a slice of the funding, so will a TasTAFE-led project to establish a Cyber Innovation Training Hub that offers industry training. NSW Treasury is also receiving a slice of the funding to help with its project delivering a six-week cybersecurity work experience program with TAFE NSW and businesses for year 10 students.A project led by software firm RightCrowd that offers post-graduate training with Griffith University and commercial “on-the-job” internships was also a beneficiary of the round one kitty, as well as Grok Academy, which is partnering school, vocational, and university students with industry players to develop their cybersecurity skills.The Cyber Security Skills Partnership Innovation Fund was handed further funding as part of the 2021 federal Budget. In total, the Budget allocated AU$77.1 million into skills as part of the government’s new digital economy strategy, which it described as an investment into the settings, infrastructure, and incentives to grow Australia’s digital economy.

The AU$77.1 million will be shared by the “Digital Skills Cadetship Trial” to deliver work-based learning opportunities for in-demand digital jobs, with AU$10.7 million; AU$22.6 million for the “Next Generation Emerging Technology Graduates Program” that will provide more than 200 scholarships in emerging technologies; and AU$43.8 million for the expansion of its Cyber Security Skills Partnership Innovation Fund to fund additional innovative projects to quickly improve the quality and quantity of cybersecurity professionals in Australia.”We need a strong cybersecurity workforce in Australia to meet the increasing scale and sophistication of cyber threats” Minister for Home Affairs Karen Andrews said. “Projects funded under the Cyber Security Skills Partnership Innovation Fund will help grow our workforce to ensure a safe online environment for all Australians.”Elsewhere, cybersecurity services provider Willyama Services was awarded a multi-year contract with Defence worth AU$10.3 million. The contract is for cybersecurity specialist support to the Defence Industry Security Office (DISO). Running for an initial two years, with a further 24-month option, Willyama, which has its sights set on becoming the first 100% Aboriginal-owned IT company to list on the ASX, will provide ongoing cyber specialist support to deliver DISO cybersecurity assurance and audit activities.”This contract with Defence is significant for more than the financial value,” Willyama said. “The majority of the Indigenous and veteran staff Willyama engages come from ‘non-traditional’ employment backgrounds for engagement in the federal IT sector and require significant support, cross and upskilling, in order to be able to provide these services. “With two years guaranteed commercial support, we expect to significantly increase our investment in Indigenous and veteran staff to be able to provide more services to the federal sector in the future. “This contract is a lever to changing lives and we are excited by the opportunity to share this journey with Defence.”LATEST FROM CANBERRA More

Image: Mika Baumeister
Google has changed the information requirements for people with Play Store developer accounts, in an effort to validate whether developers are real. While it currently only asks for email address and phone number, Google will now ask whether the account is personal or for a business, a contact name, physical address, and verification of email and phone details. “Your contact information allows us to share important information and updates about your app. It also helps us make sure that every account is created by a real person with real contact details, which helps us keep the Play Store safe for all users,” Google said in a blog post. “This information will not be public-facing and is just to help us confirm your identity and communicate.” Google will also mandate that Google Play Console users use two-factor authentication. From today, developers can state whether their account is personal or for business, and verify contact details. While stating the account type is optional, it will be enforced if a developer wishes to update their contact details. New accounts will have the account type, contact information, and 2FA requirements enforced in August, while existing developers will face the requirements “later this year”.

In March, Google dropped the commission it takes for Play Store sales to 15% for the first $1 million. At the time, the company said 99% of its developers would see a halving in fees taken by Google. Related Coverage More

Ransomware is one of the biggest cybersecurity issues facing organisations today but as claims mount and cyber insurers look at the coverage they are offering, changes may be coming. Cyber insurance is designed to protect organisations against the fallout of cyber attacks, including covering the financial costs of dealing with incidents. But some critics argue that insurance encourages ransomware victims to simply pay the ransom demand which will then be covered by the insurers, rather than have adequate security to deter hackers in the first place. Insurers argue that it’s the customer that makes any decision to pay the ransom, not the insurer.  It isn’t illegal to pay cyber criminals a ransom demand but law enforcement agencies warn that doing so will give the gangs funds to launch more attacks. According to a research paper examining cyber insurance and the cybersecurity challenge by defence think tank Royal United Services Institute (RUSI), this practice isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers. “To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations’ cyber security practices,” RUSI said. And it warned: “Cyber insurers may be unintentionally facilitating the behaviour of cybercriminals by contributing to the growth of targeted ransomware operations.” Ransomware is one of the most significant cyber threats which organisations face today – as National Cyber Security Centre (NCSC) CEO Lindy Cameron recently said in a speech at RUSI – as attacks increase in complexity and cyber criminals demand larger ransoms. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Refusing to pay the ransom can lead to months of downtime and the huge costs for organisations that attempt to restore their network from scratch – and according to RUSI, some ransomware victims and their insurers will pay the ransom because they see it as the lowest cost option for restoring networks. “There are widespread concerns that insurers are fuelling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption,” says the paper. Some ransomware gangs are even actively seeking to target victims with cyber security policies, because they believe that’s the best way to guarantee they’ll make money from encryption campaigns. However, according to the RUSI report, cyber insurance can actually play a role in actively disrupting the ransomware business model, by encouraging policy holders to improve their defences in order to do as much as possible to prevent them from falling victim to a ransomware attack in the first place. The paper suggests that insurance should require ‘minimum ransomware controls’ as part of any ransomware coverage. These controls include timely patching of critical vulnerabilities in external-facing IT structure, enabling multi-factor authentication on remote access services, limiting lateral movement by adopting network segmentation and implementing procedures to ensure regular backups are created.  And theres is some evidence that change is coming. According to a recent story in the Financial Times, insurers are already increasing premiums and putting in place stricter demand in terms of the cybersecurity strategies used by companies that want to buy cyber insurance. The Washington Post has also reported that insurers are demanding great security and cutting back the amounts of cover they are willing to offer. All of these recommendations could prevent a ransomware attack from happening in the first place, or mitigate the damage a ransomware attack could do – meaning that in the event of falling victim to a ransomware attack, paying the ransom would be an absolute last resort, rather than being signed off as the simplest thing to do. It would also reduce risks for the cyber insurance industry going forward, reducing the need for insurance firms to support pay outs of millions for decryption keys following a ransomware attack.”The impact of ransomware on the cyber insurance industry emphasises the need to address some of these issues and questions sooner rather than later. As some insurers risk being overwhelmed by losses, the industry and governments need to react quickly to ensure adequate protection and coverage for businesses,” the researchers said. However, at least right now, the availability of cyberinsurance doesn’t seem to be helping improve cybersecurity. “Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise,” the report said, adding: “Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders.”

MORE ON CYBERSECURITY More

Gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry after ignoring warnings from cybersecurity researchers in December 2020 that multiple vulnerabilities left the company severely exposed to hackers. 

Officials from Israeli cybersecurity firm Cyberpion approached EA late last year to inform them of multiple domains that could be subject to takeovers as well as misconfigured and potentially unknown assets alongside domains with misconfigured DNS records.  But even after sending EA a detailed document about the problems and a proof of concept, Cyberpion co-founder Ori Engelberg told ZDNet that EA did nothing to address the issues.  Engelberg said EA responded with an acknowledgment of receiving the information on these vulnerabilities and said they would contact Cyberpion if they had any additional questions. But they never did.  “We inspect the entire internet but as gamers, we are customers of EA. So many of our employees play FIFA and other games. We love EA so we wanted to contact them to help because their online presence is significant,” Engelberg said.  “What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that’s the easiest door to the company. It isn’t even a door. It is something simpler.”  He explained that, by using the stolen domains, malicious actors could send emails purporting to be from EA and ask people to send account information or other data. EA was already facing backlash last week after it was revealed that a “chain of vulnerabilities” could have allowed attackers to gain access to personal information and take control of accounts.

In recent weeks, Motherboard reported that the massive data breach EA suffered was due to a hackers’ ability to abuse Slack privileges to gain access to an account.  Hackers on forums boasted about stealing 780 GB of data from the company and gaining full access to FIFA 21 matchmaking servers, FIFA 22 API keys, and some software development kits for Microsoft Xbox and Sony. They also purport to have much more, including the source code and debugging tools for Frostbite, which powers EA’s most popular games like Battlefield, FIFA, and Madden. But before the breach through Slack, Engelberg and his team had repeatedly warned EA that at least six — now more than 10 according to Engelberg — vulnerabilities left multiple domains and other assets free for the taking.  Domains like occo.ea.com were vulnerable to takeover and the Cyberpion team found 15 EA sites — like wwe-forums.ea.com, api.pogo.com, and api.alphe.pogo.com — serving login pages over HTTP.  Stats.ea-europe.com serves a mismatched certificate and its DNS record points to an IP address of a non-EA site while easportsfootball.it as well as easoweb01.ea.com serve certificates that expired seven and nine years ago, respectively. Cyberpion researchers discovered that the SOA record of ea-europe.com refers to an authoritative name server that has a private IP address. A local DNS server on this address can return whatever address its operator decides for eaeurope.com.  They also identified over 500 DNS misconfigurations across EA’s domains. Engelberg noted that he has seen dozens of examples of hackers taking over the domain of an organization and sending emails from that domain to suppliers as a way to spread an attack.   “Suppliers are even more vulnerable than employees and customers because it is very common for them to get emails from people inside the customer organization that they don’t know,” Engelberg explained.  “This is something that is very easy to abuse because somebody can take over an external infrastructure through which it is possible now to send emails, to issue a valid certificate, to operate a site that looks just like the login of EA. It is EA’s certificate, it is EA’s domain. It was also possible to send and read emails from the domains.” Engelberg said he simulated an attack for EA in December but the company never addressed the issue, allowing it to worsen as more assets became vulnerable to takeover.  While Engelberg said he was not surprised EA got hacked through Slack earlier this month, he did sympathize with their plight, noting that the company’s security team probably has hundreds of action items to handle.  The issues caught by Cyberpion also involve EA’s supply chain, making them more difficult to solve, Engelberg added.  “In most cases, it is about being connected to some infrastructure which is not controlled by your organization. The basic thing that could be done is to cut the connection. Even before you understand who owns or created these,” he said.  “Just shut down the asset. You have an asset. It could be taken over, so shut it down. Delete all the DNS records and just make sure it is no longer active.”  Vulnerabilities like the ones found by Cyberpion are common across the internet and Engelberg explained that his team has found dozens of Fortune 500 companies with similar issues.  But according to Akamai’s new report Gaming in a Pandemic, this issue is big within the gaming industry. Web application attacks targeting the video game industry grew by 340% in 2020, a higher rate than any other sector during the COVID-19 pandemic. “It is basically a matter of external attack surface management. In the end, enterprises do not know about their entire perimeter. They are distributedly managed. Somebody can create an asset and it will not be done via the IT or the security teams,” Engelberg said.  “Even assets that are known to the security team may have changes they don’t know about. If the hackers can achieve what they want without penetrating the organization but by hacking a third, fourth, or fifth party that you are connected to, why not? You have no visibility over the attack and you will find your data in the dark web three years from now.”  K2 Cyber Security co-founder Jayant Shukla agreed with Cyberpion’s take on the issues and said most of the vulnerabilities stem from not keeping configurations up to date or removing subdomains when they’re no longer needed.   Shukla noted that while non-valid certificates are a legitimate issue and will prevent security-conscious users from not visiting the site, it does not give attackers control over the domain. But the issue of DNS records is crucial for any company, Shukla told ZDNet.   “In the end, none of these vulnerabilities appeared to threaten customer-facing interactions but decommissioning unused subdomains and keeping certificates up to date will go a long way to ensuring network operations are secure,” Shukla said.  Shukla also questioned why EA released control over the occo.ea.com subdomain, speculating that it was not used often by EA.  “The process of commissioning a subdomain is followed by everyone, but that does not happen when the subdomain is decommissioned. This is what the creators of the report seem to have exposed,” Shukla added. EA said it would have a full response when contacted for comment by ZDNet but never returned calls or emails after that. Cyberpion’s system found that EA fixed 7 of the critical issues in their assets over the last 48 hours after they were reached for comment.  More

Western Digital is urging legacy My Book owners to unplug their devices from the internet without delay following a series of remote attacks.

In an advisory published June 24, the hardware vendor said that My Book Live and My Book Live Duo network-attached storage (NAS) devices are being remotely wiped through factory resets, leaving users at risk of losing all of their stored data. “Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said. “In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.” It appears that the vulnerability being exploited is CVE-2018-18472, a root remote command execution (RCE) bug that has earned a CVSS severity rating of 9.8.  With attackers able to remotely operate as root, they can trigger resets and wipe all of the content on these portable storage devices, which made their debut in 2010 and received their final firmware update in 2015. When products become end-of-life, they are generally not entitled to new security updates.  As first reported by Bleeping Computer, forum users began querying the sudden loss of their data on June 24 via both the WD forum and Reddit. One forum user deemed themselves “totally screwed” due to the deletion of their information.  “I am willing to part with my life savings to get my doctoral thesis data, newborn pictures of my children and dead relatives, travel blogs I wrote and never published and all my last 7 months of contract work,” another user commented. “I am so scared to even think about what this is going to do for my career having lost all my project data and documentation..”

At the time of writing, forum users are trading potential recovery methods and ideas with varying degrees of success.  “We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access,” Western Digital says.  The log files, so far, show that My Book Live devices are being struck worldwide through direct online connections or port forwarding. WizCase has previously published proof-of-concept (PoC) code for the vulnerability. In some cases, the attackers are also installing a Trojan, of which a sample has been uploaded to VirusTotal. My Book Live devices are thought to be the only products involved in this widespread attack. WD cloud services, firmware update systems, and customer information is not believed to have been compromised.  Western Digital is urging customers to pull their devices from the internet as quickly as possible.  “We understand that our customers’ data is very important,” Western Digital says. “We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further.” The company is also investigating potential recovery options for impacted customers.  ZDNet has reached out to Western Digital with additional queries and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over half a million dollars has been issued as rewards for researchers participating in GitHub’s bug bounty program over the past year, bringing total payouts to over $1.5 million. 

The Microsoft-owned vendor has operated the GitHub Security Bug Bounty Program for seven years. Bug bounty programs are now a common way for vendors to elicit help from third-party researchers in securing products and services. Years past, it was sometimes difficult to privately disclose bugs and many companies did not have a dedicated contact or portal for vulnerability reports — but now, both credit and financial rewards are often on offer.  The vendor says that 2020 “was the busiest year yet” for GitHub’s program. “From February 2020 to February 2021, we handled a higher volume of submissions than any previous year,” GitHub says.  In total, 1,066 bug reports were submitted across GitHub’s public and private program — the latter of which is focused on beta and pre-release products — over the year, and $524,250 was awarded for 203 vulnerabilities. Since 2016, the time when GitHub launched its public program on HackerOne, rewards have now reached $1,552,004. The scope of GitHub’s program includes numerous GitHub-owned domains and targets such as the GitHub API, Actions, Pages, and Gist. Critical issues, including code execution, SQL attacks, and login bypass tactics, can earn researchers up to $30,000 per report. 

GitHub also operates under the Safe Harbor principle, in which bug bounty hunters who adhere to responsible disclosure policies are protected from any potential legal ramifications of their research.  The company says that over the past year, a universal open redirect submission has become its “favorite” bug. William Bowling was able to develop an exploit that leveraged request handlers to trigger an open redirect and also compromise Gist user OAuth flows.  The report earned Bowling a $10,000 reward.  GitHub also became a CVE Number Authority (CNA) in 2020 and has begun issuing CVEs for vulnerabilities in GitHub Enterprise Server.  In related GitHub news, earlier this month the organization updated its policies on sharing software and code which can not only be used to conduct security research but also could be adopted by attackers.  GitHub updated its terms to strip out “overly broad” language used to describe “dual-use” software, including tools such as Mimikatz, to “explicitly permit” sharing and remove the risk of any accusation of hostility toward genuine threat and cybersecurity research.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A former UK Ministry of Defence (MoD) employee has been jailed for 16 months after being found guilty of storing and sharing child pornography. 

The UK’s National Crime Agency (NCA) said that Bristol resident Phillip Nutt appeared in front of a judge at Bristol Crown Court on June 24. Nutt had previously pleaded guilty to possessing, making, and distributing indecent images. According to the NCA, Nutt was a formed MoD employee who “used his IT skills to source and download child abuse images on the Dark Web.” Nutt was arrested by the NCA at his holiday home in Cornwall in 2020. During the raid, the police discovered close to 300 images and videos on his personal phone and computers.  However, the 53-year-old managed a far more extensive collection stored in overseas and cloud-based accounts.  With the assistance of international law enforcement agencies, the NCA discovered 445 online folders containing 18,641 files, including indecent images and “hundreds” of child pornography videos. Some of the videos documented abuse lasted for up to two hours.  The former MoD employee disguised his mobile collection in a lockbox app disguised as a calculator. However, he also frequented a forum in the Dark Web where he discussed his activities, dubbed the “PedoPub.”

“I have everything secured and no one can see unless I leave it unlocked by accident,” Nutt told a fellow chat room user. “I have a false camera storage as well so if someone asks to see my photos it shows normal people photos. The good ones are hidden.” Nutt also vented his frustration at the UK’s lockdown policies, which at its peaks have kept children except those of key workers or the vulnerable, from going to school physically — therefore restricting his access to children.  “The conviction of Nutt serves as a warning to all — that we will work with partners across the globe to safeguard children and bring offenders before the court,” commented Derek Evans, NCA Senior Investigating Officer. “For as long as the demand for this material remains in depraved people like Nutt, it will continue to be supplied. This investigation has broken part of that cycle and the NCA has succeeded in disrupting someone who posed a significant threat to children.” ZDNet has reached out to the MoD for comment and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More