Information Technology

Researchers have discovered a strain of cryptocurrency-mining malware that abuses Windows Safe mode during attacks. 

The malware, dubbed Crackonosh by researchers at Avast, spreads through pirated and cracked software, often found through torrents, forums, and “warez” websites. After finding reports on Reddit of Avast antivirus users querying the sudden loss of the antivirus software from their system files, the team conducted an investigation into the situation, realizing it was due to a malware infection.  Crackonosh has been in circulation since at least June 2018. Once a victim executes a file they believe to be a cracked version of legitimate software, the malware is also deployed.  The infection chain begins with the drop of an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe mode. The infected system is set to boot in Safe Mode on its next startup.  “While the Windows system is in safe mode antivirus software doesn’t work,” the researchers say. “This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.” Crackonosh will scan for the existence of antivirus programs — including Avast, Kaspersky, McAfee’s scanner, Norton, and Bitdefender — and will attempt to disable or delete them. Log system files are then wiped to cover its tracks. 

In addition, Crackonosh will attempt to stop Windows Update and will replace Windows Security with a fake green tick tray icon.  The final step of the journey is the deployment of XMRig, a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency. Overall, Avast says that Crackonosh has generated at least $2 million for its operators in Monero at today’s prices, with over 9000 XMR coins having been mined.  Approximately 1,000 devices are being hit each day and over 222,000 machines have been infected worldwide. In total, 30 variants of the malware have been identified, with the latest version being released in November 2020.  “As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” Avast says. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A “high-level” member of FIN7 has been sentenced to a seven-year term for his role in the cybercriminal group. 

On Thursday, the US Department of Justice (DoJ) named Andrii Kolpakov, a 33-year-old from Ukraine, as a past member of FIN7 who served as an attacker internally referenced as a penetration tester. According to US prosecutors, Kolpakov was involved in FIN7 from at least April 2016 until his arrest in June 2018, when he was picked up by law enforcement in Spain and extradited to the United States a year later.  The former hacker managed teams of attackers responsible for compromising the security of target systems, including businesses in the US.  FIN7, also sometimes referred to as Carbanak, specialized in the theft and sale of consumer records from Point-of-Sale (PoS) systems from companies. Malware used by the group would be used to harvest payment card details that were then used to conduct fraudulent transactions or were sold on.  One common attack method employed by FIN7 was Business Email Compromise (BEC), in which phishing emails were sent to employees of a target company containing a malicious file. This attachment contained a variant of the Carbanak malware. The DoJ estimates that in the US alone, over 6,500 PoS systems at more than 3,600 business locations were infiltrated by FIN7, leading to the theft of tens of millions of debit and credit cards, as well costs of over $1 billion that had to be shouldered by victims. 

Additionally, the threat actors have been connected to attacks against organizations in Australia, France, and the United Kingdom.  When it comes to Kolpakov’s earnings, prosecutors claim that his pay “far exceeded comparable legitimate employment in Ukraine.” “Moreover, FIN7 members, including Kolpakov, were aware of reported arrests of other FIN7 members, but nevertheless continued to attack US businesses,” the DoJ added.  In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and a further count of conspiracy to commit computer hacking. He has now been sentenced to seven years in prison and has been ordered to pay $2.5 million in restitution.  Europol and the DoJ have both been involved in multiple FIN7 arrests. In April, another Ukrainian national, Fedir Hladyr, was sentenced to 10 years behind bars for acting as a FIN7 systems administrator.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Zyxel, a manufacturer of enterprise routers and VPN devices, has issued an alert that attackers are targeting its devices and changing configurations to gain remote access to a network. In a new support note, the company said that a “sophisticated threat actor” was targeting Zyxel security appliances with remote management or SSL VPN enabled. 

see also

Best VPN services

Virtual private networks are essential to staying safe online, especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

The attacks affect organizations using Unified Security Gateway (USG), ZyWALL, the USG FLEX combined firewall and VPN gateway, Advanced Threat Protection (ATP) firewalls, and VPN series devices running its ZLD firmware.  SEE: Network security policy (TechRepublic Premium)”The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as”zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, to manipulate the device’s configuration. We took action immediately after identifying the incident,” Zyxel noted. This seems to suggest that the attackers are using hardcoded accounts to access the devices remotely. Earlier this year, researchers found a hardcoded admin backdoor account in one of Zyxel’s firmware binaries, which left 100,000 internet-exposed firewalls and VPNs.

Zyxel notes that firewalls may be affected if users experience issues accessing the VPN, or routing, traffic and login issues. Other signs include unknown configuration parameters and password problems. Zyxel warns admins to delete all unknown admin and user accounts that have been created by the attackers. It also advises them to delete unknown firewall rules and routing policies. Via Ars Technica, a Zyxel customer posted its disclosure email on Twitter. “Based on our investigation so far, we believe maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface,” Zyxel said. It recommends disabling HTTP and HTTPS services from the WAN side. For those who need to manage devices from the WAN side, it recommends restricting access to trusted source internet address and enabling GeoIP filtering. It also emphasizes that admins need to change passwords and set up two-factor authentication. SEE: Ransomware: Now gangs are using virtual machines to disguise their attacksThe attacks on Zyxel devices follows a string of similar attacks on a range of VPN devices, which make a handy entry point to a corporate network for remote attackers to gain persistent access. The US Cybersecurity and Infrastructure Security Agency warned in April that attackers were targeting vulnerabilities in Pulse Secure Connect VPNs.    ZDNet has contacted Zyxel for comment and will update this story if it receives a response.  More

Image: Getty Images
A disturbing pair of attitudes continue to infect law enforcement agencies across Australia.One is that if data exists then the cops have a right to access it.The other is that as long as something isn’t specifically illegal then it’s OK for the government and its agencies to do it.Earlier this month it was revealed that the Western Australia Police Force accessed data collected by the COVID SafeWA app, the state’s QR code check-in app.WA Premier Mark McGowan said the app should only be used for contact tracing, but the cops disagreed.”We attempted to negotiate an agreement with the police. They advised that it was lawful, and they couldn’t not do things that are lawful,” McGowan told ABC Radio Perth.Well now the WA Parliament is introducing laws to block police access.

Meanwhile, Victoria Police tried to access check-in data three times last year. The health department refused. But acting police minister Danny Pearson said he was reluctant to follow WA’s lead and introduce a legislated ban.”Let’s suppose a check-in could convict a criminal, I think that the idea of introducing legislation to prevent that occurring would lead to a poor public policy outcome,” Pearson told a state Budget Estimates Committee.WA Police Commissioner Chris Dawson made much the same point, telling Perth radio station 6PR that the police has “a duty to investigate crime”.”The police has a duty to collect the best possible evidence and put that before a court… I would not do my job as Police Commissioner if I was directed by the Premier or the politician elected by the people as to how to run a murder investigation.”That’s the dilemma.As a society we want to fight crime, but at the same time we don’t want to give unlimited power to the crimefighters because they have guns and can deprive us of our liberty and even our lives, and things can go wrong.Eight years ago, in the wake of Edward Snowden’s revelations about the scale of global digital surveillance, I wrote that intelligence organisations’ burning need for all the data was an addiction.Now the cops need their fix too, but can they handle the powerful data drugs responsibly? The evidence would suggest not.The Australian National Audit Office (ANAO) recently reported [PDF] that the Australian Federal Police (AFP) doesn’t have an electronic data and records management system and “keeps more than 90% of its digital operational records in network drives”.”Records in network drives are not secure from unauthorised access, alteration or deletion,” ANAO wrote.Many officers choose not to use the AFP’s case management system, PROMIS, because they’re not obliged to. By its own assessment, AFP rates its information management maturity as 156th of 166 Australian government entities.”The AFP’s poor digital record keeping is a risk to the integrity of its operations,” ANAO wrote.This week the Commonwealth Ombudsman found that the AFP had “issues” with data destruction too, with numerous examples of poor processes and record-keeping.The AFP was even found to be conducting surveillance in foreign jurisdictions without lawful approval. At least they disclosed that little oopsie to the Ombudsman.Data destruction problems were also found at the South Australian Police and the Australian Criminal Intelligence Commission.None of this is “OMG police state!” hyperbole. Australia isn’t a police state, and it’s quite some way from becoming one. We’re all free to write critiques like this one, for example.But the police forces continually show that they don’t have systems capable of correctly handling the data they do have access to. Yet they always want more, and they tend to get everything their way when new laws are made.The WA Bill to block their access to SafeWA data is a rare exception.There’s nothing wrong with cops asking for new powers to make their jobs easier. Who doesn’t want to make their job easier? But the counterarguments need to be heard and, indeed, listened to.During a global pandemic, it feels like the cops are more than happy to hunt down people breaking quarantine rules. They seem less interested in the harm minimisation — in ensuring everyone is comfortable giving fine-grained details of their daily lives to “the government”.Politicians need some spine here. They need to get over their fear of appearing “soft on crime” — crime is at historical all-time lows anyway — and tell the cops, simply, “No you can’t do that”.After all, what’s worse? An abstract “poor public policy outcome”, or more people on ventilators struggling for their lives?RELATED COVERAGE More

Image: Asha Barbaschow/ZDNet
Newly appointed Minister for Home Affairs Karen Andrews has singled out cyber as a priority in her portfolio, using Australia’s Critical Infrastructure reforms as an example of how the government has worked to protect the nation.”I have elevated cyber to big priority in the portfolio,” Andrews said, speaking as part of the CEDA State of the Nation 2021 conference on Thursday. The reforms, by way of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, would allow, among other things, the government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.  “The Critical Infrastructure legislation is particularly important to us, and I think that what it demonstrates is people’s perception of what is critical infrastructure, which is way beyond the physical bricks and mortar, is crucial to us,” Andrews said. The Bill brings in the likes of communications, financial services, data storage and processing, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors to the definition of critical infrastructure.”We do know that there is an increasing threat of cyber attack here in Australia, ransomware, these are significant issues for us. It is also important that we recognise that many businesses who either have been subject to a ransomware attack or are likely to be subject to a ransomware attack are not necessarily going to be forthcoming in providing that information,” Andrews continued. “If we don’t have the information going through to the Australian Signals Directorate that enables them to come in and provide a level of support, then it means that we can’t assist in trying to re-establish some of the connections that are there to try and assist with recovering the data. It also means that we’re not getting the intelligence that we need that will lead to a more cybersecure environment for us here in Australia.”

Andrews said the legislation needs to “be progressed as a matter of urgency”.”That is what my plan is,” she added. “I think it actually provides significantly more protections than it does introduce risks.”Speaking alongside Andrews was Michelle Price, CEO of AustCyber, the organisation charged with growing a local cybersecurity ecosystem. She touted the legislation as “one piece of a very large patchwork of things” that need to be undertaken.”People are celebrating that this legislation is occurring, principally because it does level the playing field across industries,” she said. Of importance to Price, however, is that education on the Bill’s purpose and consequences should occur.”We need to make sure that that education spreads out, this is where the value chain comes into it, those trusted information-sharing networks that occur organically, as well as in an orchestrated way, to make sure that everyone is aware of this legislation,” she added.”I think that the government has done a good job of learning some lessons from the encryption legislation and has done extensive consultation of this legislation in spite of the comparatively short period of time that it has been running through, compared to other areas like the Telecommunication Sector Security Reforms and the Notifiable Data Breaches scheme … [that] have taken a lot longer than the critical infrastructure amendments.”The Senate this week passed two Bills that were not particularly given long consultation periods, either. The Online Safety Bill 2021 was waved through on Wednesday night with amendments. Among other things, the new Act extends the eSafety Commissioner’s cyber takedown function to adults, giving the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.The Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the 400-something submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee scrutinising its contents handed down its report.Debating the Bill last week, Australian Greens co-deputy leader Senator Nick McKim said the government “[rammed] these Bills through this Parliament without adequate consideration and without adequate scrutiny”.He was unsuccessful with his request for the Bill to be repealed and re-written and upon receiving Royal Assent, eSafety will be nutting out the specifications of how the new scheme will be run six months thereafter.Also passed this week was the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.The IPO Bill paves the way for Australia to share communications data with other countries. It allows Australia to obtain a proposed bilateral agreement with the United States, in the first instance, under its Clarifying Lawful Overseas Use of Data Act (CLOUD Act).The Bill passed both houses, incorporating amendments from recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) last month.The federal opposition on Monday introduced yet another security-related Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives by Shadow Assistant Minister for Cyber Security Tim Watts, who took the opportunity to say the government’s current position of telling businesses to defend themselves by “locking their doors to cyber-criminal gangs” was “not good enough”.Responding to the proposed Bill, Andrews said she was open to exploring it.”From the government’s perspective, we actually would like businesses to reach out, particularly to ACSC, in the event that they have a ransomware attack or they have other threats,” she said.”[ACSC] is very well placed to be able to support them, but they rely on, in many instances, on businesses reporting or contacting them directly.”I’ve already had some discussions about mandatory reporting of ransomware attacks and my view at this stage is that there are a range of views about that — it’s very mixed in the response — what I want to do over the coming weeks is explore that much more fully.”Andrew said she wants the ACSC to be armed with the opportunity to support businesses that have been the subject of ransomware attacks, but that awareness was also important.”What I don’t want to do is end up with the cart before the horse effectively, and moving directly to the mandatory reporting of ransomware, where we haven’t gone through the process of raising awareness of cybersecurity, raising awareness of ransomware, making sure that we have in place all of the right mechanisms to support businesses,” she said.”So yes, I want to collect the intelligence, but I want to make sure that we’re doing this in a sensible and rational way.”But I’m open to exploring this. I am already exploring it.”RELATED COVERAGE More

Payments company Eftpos has announced that its digital identity business, connectID is now live and running as a fully owned subsidiary of Eftpos and as a standalone fintech company.ConnectID acts as a broker between identity service providers and merchants or government agencies that require identity verification, such as proof of age, address details, or bank account information.It has been designed to work within the federal government’s Trusted Digital Identity Framework (TDIF) and the banking industry’s TrustID framework. Although the Australian government has its own digital identity solution with myGovID, Eftpos has previously said its solution could provide a “smoother, faster, and more secure onboarding experience, including for government services”.Eftpos has also assured that connectID does not store any identity data. “Identity service providers store consumer identities and take responsibility for providing this secure information only under the consent of the identity owner,” the company explained.As part of the launch, Eftpos also revealed it was working with global identity and authentication firm SecureKey to further develop the technology.

Eftpos CEO Stephen Benton said with connectID now live, the focus would be to expand the fintech firm’s range of partner organisations, as well as to become the first non-government accredited operator of a digital exchange in Australia. “ConnectID is collaboratively working with governments, businesses, online merchants, banks, and other identity providers with a view to building identity into our national payments infrastructure, as well as other commercial applications for all Australians and Australian businesses,” he said.The launch of connectID follows a number of trials that Eftpos kicked off last year with 20 “well-known” Australian brands, as well as Australia Post.Related Coverage  More

Business author and expert, H. James Harrington, once said, “If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” He was right. And Google is following this advice by introducing a new way to strengthen open-source security by introducing a vulnerability interchange schema for describing vulnerabilities across open-source ecosystems.

Open Source

That’s very important. One low-level problem is that there are many security vulnerability databases, there’s no standard interchange format. If you want to aggregate information from multiple databases you must handle each one completely separately. That’s a real waste of time and energy. At the very least you must create parsers for each database format to merge their data. All this makes systematic tracking of dependencies and collaboration between vulnerability databases much harder than it should be. So, Google built on the work it’s already done on the Open Source Vulnerabilities (OSV) database and the OSS-Fuzz dataset of security vulnerabilities. The Google Open Source Security team, Go team, and the broader open-source community all helped create this simple vulnerability interchange schema. While working on the schema, they could communicate precise vulnerability data for hundreds of critical open-source projects. Now the OSV and the schema has been expanded to several new key open-source ecosystems: Go, Rust, Python, and DWF. This expansion unites and aggregates their vulnerability databases. This gives developers a better way to track and remediate their security issues. This new vulnerability schema aims to address some key problems with managing open-source vulnerabilities. It: Enforces version specification that precisely matches naming and versioning schemes used in actual open-source package ecosystems. For instance, matching a vulnerability such as a CVE to a package name and set of versions in a package manager is difficult to do in an automated way using existing mechanisms such as CPEs. Can describe vulnerabilities in any open source ecosystem, while not requiring ecosystem-dependent logic to process them. Is easy to use by both automated systems and humans.In short, as Abhishek Arya, the Google Open Source Security Team Manager, put in a note on the specification manuscript, “The intent is to create a simple schema format that contains precise vulnerability metadata, the necessary details needed to fix the bug and is a low burden on the resource-constrained open source ecosystem.”The hope is that with this schema, developers can define a format that all vulnerability databases can export. Such a unified format would mean that programmers and security researchers can easily share tooling and vulnerability data across all open-source projects. 

The vulnerability schema spec has gone through several iterations, but it’s not completed yet. Google and friends are inviting further feedback as it gets closer to being finalized. A number of public vulnerability databases today are already exporting this format, with more in the pipeline:The OSV service has also aggregated all of these vulnerability databases, which are viewable at the project’s web UI. The databases can also be queried with a single command via its existing APIs.In addition to OSV’s existing automation, Google has built more automation tools for vulnerability database maintenance and used these tools to bootstrap the community Python advisory database. This automation takes existing feeds, accurately matches them to packages, and generates entries containing precise, validated version ranges with minimal human intervention. Google plans to extend this tooling to other ecosystems for which there is no existing vulnerability database or little support for ongoing database maintenance.This effort also aligns with the recent US Executive Order on Improving the Nation’s Cybersecurity, which emphasized the need to remove barriers to sharing threat information in order to strengthen national infrastructure. This expanded shared vulnerability database marks an important step toward creating a more secure open-source environment for all users. Want to get involved? You should. This promises to make open-source software, no matter what your project, much easier to secure. Related Stories: More

Amazon announced a new global competition called AWS BugBust, which will allow developers to compete over finding and fixing one million bugs. The company said the competition will also help “reduce technical debt by over $100 million.”In a blog post, AWS principal advocate Martin Beeby said AWS BugBust was taking the concept of a bug bash “to a new level” by allowing developers to create and manage private events that effectively “gamify the process of finding and fixing bugs in your software.””Many of the software companies where I’ve worked (including Amazon) run them in the weeks before launching a new product or service. [AWS BugBust] includes automated code analysis, built-in leaderboards, custom challenges, and rewards,” Beeby said. “AWS BugBust fosters team building and introduces some friendly competition into improving code quality and application performance. What’s more, your developers can take part in the world’s largest code challenge, win fantastic prizes, and receive kudos from their peers.”Those interested in joining the competition can create an AWS BugBust event through Amazon’s CodeGuru console, a machine learning developer tool that helps identify bugs. AWS BugBust will have a leaderboard for developers and the company will dole out achievement badges and a chance for an expense-paid trip to AWS re:Invent 2021 in Las Vegas.Swami Sivasubramanian, vice president of Amazon Machine Learning at AWS, explained that hundreds of thousands of AWS customers are building and deploying new features to applications each day at high velocity and managing complex code at high volumes. “It’s difficult to get time from skilled developers to quickly perform effective code reviews since they’re busy building, innovating, and pushing out deployments,” Sivasubramanian said. “Today, we are excited to announce an entirely new approach to help developers improve code quality, eliminate bugs, and boost application performance, while saving millions of dollars in application resource costs.” The AWS BugBust capability is currently available on the East Coast of the US and soon will be available to any region where Amazon CodeGuru is offered. 

Beeby noted that there will be a global leaderboard that will be updated each time a developer fixes a bug and wins points. Any developer that makes it to 100 points will win an AWS BugBust T-shirt, and those who reach 2,000 points will win an AWS BugBust Varsity Jacket.The top ten will receive tickets to AWS re:Invent. To compete in the global challenge, projects must be written in Python or Java, as those are the only languages supported by Amazon CodeGuru. Beeby added that all costs incurred by the underlying usage of Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler are free of charge for 30 days with an AWS account. “This 30 day free period applies even if you have already utilized the free tiers for Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler. You can create multiple AWS BugBust events within the 30-day free trial period,” Beeby wrote. “After the 30-day free trial expires, you will be charged for Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler based on your usage in the challenge.”Amazon included multiple comments from partners who plan to have employees participate in the program, including Belle Fleur and Miami Dade College. “The AWS BugBust Challenge will be a fun and educative addition to our curriculum to help our students become more confident in their ability to use the Python programming language and take their IT careers to the next level,” said Antonio Delgado, Dean of Engineering, Technology and Design at Miami Dade College. “We plan to use AWS BugBust every semester as a platform for our students to showcase and enhance their coding skills, all while being part of an exciting bug-bashing event.”  More