Information Technology

NATO has updated its stance on what cyberattacks mean and what response is warranted. The North Atlantic Treaty Organization (NATO) – the 30-nation military alliance between North America and Europe – issued a new communique at this week’s Brussels summit outlining how it should respond to national security threats. One of them is cyberattacks, as spotted by The Register. 

ZDNet Recommends

The new policy stance follows high-profile attacks on US fuel distribution network Colonial Pipeline – which paid $4 million to ransomware attackers, half of which was later seized by the FBI – and US meat packer JBS, which paid $11 million to ransomware attackers. MUST READ: What is cyberwar? Everything you need to know about the frightening future of digital conflictThe tech world is also still reeling from the SolarWinds hack, which compromised the West’s top cybersecurity firms, and was attributed to the Russian government. And not so long ago, Russia was blamed for the massive NotPetya ransomware outbreak, while North Korea was blamed for 2017’s WannaCry ransomware attack.In the wake of such attacks, NATO has endorsed its “Comprehensive Cyber Defence Policy”, which will see the alliance treat cyberattacks on a “case-by-case basis” and may consider them the same as an armed attack. “To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defence Policy, which will support NATO’s three core tasks and overall deterrence and defence posture, and further enhance our resilience,” the communique reads. 

“We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.” NATO first updated its policies so that a cyberattack could lead to the invocation of Article 5, the collective defence rule, back in 2014 – as revealed by ZDNet at the time.The NATO alliance committed to “impose costs on those who harm us” if it’s deemed necessary. However, the policy of Western governments currently is in reality mostly limited to naming and shaming the country launching state-sponsored hacks. Joe Biden attended his first NATO meeting as US president and is set to meet with Russian president Vladimir Putin on Wednesday. Biden is expected to demand Russia does more to tackle cybercrime within its jurisdiction. The Colonial attack was blamed on a Russian-based ransomware-as-a-service operation. SEE: This new ransomware group claims to have breached over 30 organisations so farChina was also in the spotlight at the NATO summit for its cyber capabilities, disinformation campaigns and expansion of power across the globe.  “China’s growing influence and international policies can present challenges that we need to address together as an alliance,” the communique reads. “We will engage China with a view to defending the security interests of the Alliance. We are increasingly confronted by cyber, hybrid, and other asymmetric threats, including disinformation campaigns, and by the malicious use of ever-more sophisticated emerging and disruptive technologies.”   More

Business email compromise (BEC) is a huge and profitable scam, but Microsoft has put a dent in one operation by taking down its cloud infrastructure. To counter these scammers, Microsoft has enlisted its Digital Crimes Unit to tackle the infrastructure they use. Just like other businesses, BEC scammers have moved to the cloud to run operations, but Microsoft claims its investigators have disrupted one large BEC group that was using major cloud providers. 

While ransomware is grabbing headlines, BEC remains the single most expensive cybercrime problem for American business. The FBI recently reported that Americans lost over $4.2 billion to cyber criminals and scammers in 2020. BEC was by far the biggest cause of reported losses, totaling $1.8 billion across 19,369 complaints. SEE: Network security policy (TechRepublic Premium)In this case, the scammers used cloud-based infrastructure to compromise email accounts through phishing, and then added email-forwarding rules to those accounts, giving the attackers access to emails about financial transactions. The attackers also used several techniques to thwart investigators’ efforts to uncover their activities and infrastructure. “The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns. The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” Microsoft security researchers explain. 

Microsoft notes that BEC attacks are difficult to detect because they generally don’t pop up on a defender’s alert list and instead blend in with legitimate network traffic. Microsoft is promoting its ability to detect BEC crimes because of its gigantic cloud business across Azure and Microsoft 365, which gives it visibility into email traffic, identities, endpoints, and cloud. “Armed with intelligence on phishing emails, malicious behavior on endpoints, activities in the cloud, and compromised identities, Microsoft researchers connected the dots, gained a view of the end-to-end attack chain, and traced activities back to the infrastructure,” Microsoft said. Microsoft correlated the targeted BEC campaign to a prior phishing attack, which gave the attackers credentials and access to victims’ Office 365 mailboxes. It notes that enabling multi-factor authentication can prevent these phishing attacks. Its researchers found that before the attackers created email-forwarding rules, the email accounts received a phishing email with a voice message lure and an HTML attachment. The emails came from an external cloud provider’s address space. The phishing campaign duped users by creating a false but realistic-looking Microsoft login page with the username already populated, and used a JavaScript script to capture and forward the stolen passwords. The forwarding rules were fairly simple. Basically, if the body of the email contained the words “invoice”, “payment”, or “statement”, the compromised accounts were configured to forward the emails to the attacker’s email address. SEE: This new ransomware group claims to have breached over 30 organisations so farWhile the attackers used different cloud infrastructure to conceal their activities, Microsoft found some common elements in the user agents, such as that the forwarding rules were created with Chrome 79 and that they used rules to not trigger an MFA notification when logging into a Microsoft account. “Credentials checks with user agent “BAV2ROPC”, which is likely a code base using legacy protocols like IMAP/POP3, against Exchange Online. This results in an ROPC OAuth flow, which returns an “invalid_grant” in case MFA is enabled, so no MFA notification is sent,” Microsoft notes. As its research uncovered that attackers abused cloud service providers to perpetrate this campaign, Microsoft reported its findings to the cloud security teams for these providers, who suspended the offending accounts, resulting in the takedown of the infrastructure. More

A year after the coronavirus pandemic kicked off, Western Australia has finally introduced legislation into state parliament that would keep the information used by contact tracers away from the state’s law enforcement authorities. The Protection of Information (Entry Registration Information Relating to COVID-19 and Other Infectious Diseases) Bill covers information obtained through contact registers and the SafeWA check-in app. The state currently lacks protections for such information, with WA Police having used it to investigate “two serious crimes”. “The system was introduced in the middle of the global pandemic and while access to this information was lawful, the WA Government’s intention was for contact registers to only be used for contact tracing purposes,” the government said. “Information collected through the SafeWA app has never been able to be used for commercial purposes. This will remain the case under the new legislation.” At the end of 2020, Western Australia mandated that check-in systems needed to be used. “Existing measures require businesses to confidentially and securely store written contact registers, and ensure recorded details are not easily disclosed to other customers,” the government said.

“Under the new legislation, businesses and venues will continue to be required to retain hardcopy contact registers for 28 days, unless they are required for longer for contact tracing purposes. After that period has passed, businesses and venues must destroy the records as soon as practicable.” Premier Mark McGowan claimed his government has “always been committed to protecting contact register information”. “This pandemic is a one in 100-year event and during these extraordinary times, we have acted quickly to introduce measures to keep WA safe in a rapidly changing and unpredictable environment,” he said. “We only have to look at previous cases here in WA, and outbreaks in other jurisdictions to see how critical contact registers are in reducing the spread of COVID-19 and the severity of restrictions and lockdowns.” In May 2020, the Commonwealth government agreed to modify its Privacy Amendment (Public Health Contact Information) Bill to ensure that the nation’s law enforcement authorities were unable to access the data stored as part of its COVIDSafe app. Related Coverage More

The COVID-19 pandemic has become a catalyst for a “boom” in the growth of online account ownership — but has potentially also undermined consumer security.  

COVID-19 has caused severe economic and societal disruption, not to mention the impact on both our physical and mental health. Lockdowns, shielding, and stay-at-home orders imposed worldwide forced many of us to turn to online sources for everything from our groceries to banking and entertainment, and this led to what IBM calls a “digital reliance” and the need to create more online accounts than ever before. In a new global study of 22,000 participants, conducted by Morning Consult for IBM, the technology vendor examined the impact of the pandemic on consumer security behaviors.  The results are in, and they aren’t good.  With so much else going on, little thought seems to have been given for personal security. As we signed up for account after account — with 15 new online accounts created during the main thrust of the pandemic, on average, per person — 82% of those surveyed admitted sometimes reusing the same passwords and credentials.  In total, 44% of respondents simply remembered their passwords, whilst 32% jotted their credentials down on pen and paper. 18% of those surveyed said they make use of a password manager, and a further 18% store passwords in the cloud — such as through Notes or Google Docs. 

Billions of new accounts, therefore, are now active across the Internet worldwide — and 44% of respondents said they do not plan to deactivate these new accounts, a trend IBM says will give consumers “an increased digital footprint for years to come, greatly expanding the attack surface for cybercriminals.” In addition, the report found that convenience often outweighs security concerns, perhaps due to how often we hear of data breaches and the knowledge that so much of our Personally identifiable information (PII) is already widely available.  Over 51% of the millennial age group, for example, would have rathered risk using an insecure app or website rather than visit a physical store or make a phone call when ordering products and services.   Think about a time when you’re trying to place an order online and it is most convenient to order online. Which of the followingstatements do you agree with more, even if neither perfectly applies to you?
IBM
Many online services now require strong passwords and a relatively high level of complexity when users sign up. However, passwords themselves are now not enough for popular platforms and the moment they are leaked, they can be used in tailored phishing campaigns and social engineering attempts — as well as for direct account hijacking.  It is recommended that you consider using a password manager that can generate strong passwords on your behalf, monitor for data leaks that have exposed them online, and for further security, enable two-factor authentication (2FA) or consider a physical key, such as Yubikey, for an additional layer of protection.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The Secretary of the Department of Home Affairs, Mike Pezzullo, has spoken out against hacked organisations that refuse assistance from the Australian Signals Directorate (ASD), likening it to refusing to cooperate with an air crash investigation. One such example was discussed in evidence to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Friday. “It was a nationally-known case involving a nationally-known company that [ASD director-general Rachel Noble] and I are declining to name at this point,” he said. According to Noble, the ASD first learned of the attack from media reports. “We try to reach out to the company to clarify if the media reports are true, and they don’t want to talk to us. So then we keep pushing,” Noble said. “Sometimes we have to use our own very senior level contacts, sometimes through people in this building [Parliament] who might know members of boards or chairs of boards, to try and establish trust and build a willingness to cooperate.” When a hacked company cooperates, ASD can typically map their networks and identify the criminality involved on the first day.

When the Victorian health system suffered a ransomware attack in 2019, for example, the malware was quickly identified, and the network was back up and running in four days. “What we left them with was also tools, training, and capability to identify, to protect themselves from a similar attack attack, but more quickly identify it happening again,” Noble said. However the unnamed company lawyered up, and it took a week for the ASD to get even basic network information. “Five days later we’re still getting a very sort of sluggish engagement of trying to get them to help provide data to us and deploy some of our tools so we can work out what’s happening on their networks. That goes for 13 days,” Noble said. “This incident had a national impact on our country. On day 14, we’re able to only provide them with generic protection advice, and their network is still down. Three months later, they get reinfected, and we start again.” Noble says this is why the ASD needs the powers which would be granted by legislation currently being reviewed, the Intelligence and Security: Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. “This legislation actually just gives us the authority, through Home Affairs, more leverage to expect these critical infrastructure providers to actually have better cybersecurity standards in the first place,” she said. “The best part of this legislation, from my point of view, is if they look after themselves, it doesn’t become work for my people. And if their defences are much higher, they’re keeping the low level crims out, and then we might be able to focus on the much more sophisticated highly organised criminal syndicates or state actors.” Unregulated libertarian cyberplanes endanger the commons Pezzullo says Parliament has a duty to “think about the regulation of cyberspace in the way that you would think about the regulation of other commons”. “Every time one of our planes go down, of course we collaborate with the investigators, and we work out where all the bodies were, and the wreckage of the parts, and we help with the safety investigation,” he said. Not only do we learn lessons from crashes, he said, but we also regulate the movement of aircraft through our skies. “The development of the internet’s been organic. It’s been driven by a somewhat unusual combination of libertarian impulses on the one hand, and profit-driven motivations on the other hand,” Pezzullo said. “Every time you connect, you are flying unsafely through airspace. We would not tolerate our airspace being ungoverned and unregulated by the state.” See also: How the FBI and AFP accessed encrypted messages in TrojanShield investigation Noble spruiked the advantages of cooperating with the ASD. “Our people in ASD are in hand-to-hand combat with criminals and state-based sectors every single day. We have the benefit of top secret intelligence provided to us from around the world, not just our own intelligence that we can gather, [and] 75 years of investment in technical capability to analyse and unpack it with an incredible posture and ability to understand, through our cyber defence capabilities, what’s happening on Australia’s internet.” Why would businesses refuse assistance? Apart from potential philosophical objections, Noble offered a range of theories. First, there’s what she called “ICT professional hubris”. Organisations want to believe they’ve got the technical skills and don’t need help. “We understand that people feel that way. That’s usually before they’ve actually fully appreciated what they’re dealing with,” Noble said. Second, the scenario Noble believes brings the lawyers into the room is when the organisation doesn’t have an incident response plan. They don’t know how they’ll manage public communication, relations with their suppliers and customers, potential brand damage, and other commercial interests. Third, there are questions of liability, ranging from matters of directors’ duties and whether they’ve been negligent, to acting on ASD advice which then has an adverse effect on the company. As PJCIS chair Senator James Paterson noted, some submitters to the inquiry have said the protection from liability offered in the Bill may not be sufficient. Pezzullo said this review of critical infrastructure law shouldn’t be seen as a standalone action. There’s work being done as part of the 2020 Cyber Security Strategy “that goes precisely to the question of corporations law, directors duties, [and] better practice regulation in this field”. “In fairness to the executive management teams that are grappling with this, things like insurance products, the actuarial costing and pricing of the risk, the depth of the reinsurance pool, the case law, is not particularly well formed,” Pezzullo said. “We really are in the early days of flight. It’s just that the adversaries learned how to fly and they got better planes at the moment than most firms.” Disrupting the Cyber Pirates of the Caribbean On the broader question of dealing with malicious actors online, Pezzullo said governments needed to go on the offensive. Police and intelligence agencies, sometimes with the assistance of military cyber forces, are striking at these actors in the “havens”, but some are beyond reach. “Regrettably states — some states — either turn a blind eye to their activities, or actively enable and sponsor them. Regrettably, state protection emboldens these malicious actors,” he said. One model to tackle this challenge might be the global counterterrorism model that was put in place after 9/11 to deal with al Qaida, but Pezzullo proposed something quite different. “Another model that I would suggest to this committee that is worth reflecting on, as you consider this bill and consider your report, is the campaign that was mounted in the 17th, 18th, and then in the beginning of the 19th century, to clear the world’s oceans of pirates, including the pirates of the Caribbean, who were defeated by Her Majesty’s warships of the Royal Navy, in concert with bringing law to a lawless ocean,” he said. “This is a problem with which we can deal, just as Britain overcame piracy. But we need the tools to do so, including the requisite legal authorities.” Related Coverage More

Stripe on Monday announced the launch of Stripe Identity, an identity verification system for online businesses. The self-service tool is designed to let businesses deploy a verification flow fully hosted by Stripe as a means of reducing fraud, preventing account takeovers and stopping bad actors.

“Businesses have been asking us for an easy and fast way to verify identities online. Stripe Identity offers them just that,” said Rob Daly, head of engineering for Stripe Identity. “Now, any internet business — from a five-person startup to a multinational enterprise — can begin securely verifying the identities of their users in a matter of minutes, not weeks or months.”Stripe Identity can be integrated via either a low-code or a no-code option. The low-code integration is hosted by Stripe lets businesses get up and running with verification in minutes, Stripe said. The no-code option lets fraud and risk teams generate verification links to assess suspicious transactions or high-risk users. As part of the identity verification process, users take a photo of their government ID and a live selfie, which Stripe’s machine learning then matches to the ID. Businesses can also request that users provide additional information that can be checked against third-party records.The information collected is encrypted and sent directly to Stripe, which means no sensitive, personal information is ever stored on a business’s own servers. The entire verification process for an individual user can be completed  15 seconds, Stripe said.The launch of Stripe Identity comes a week after the company rolled out Stripe Tax, a new compliance tool that lets businesses automate the calculation and collection of sales tax, value-added tax (VAT), and goods and services tax (GST). It also creates comprehensive reports that make it easier for businesses to file taxes.  More

Attackers behind the malware known as SolarMarker are using PDF documents filled with search engine optimization (SEO) keywords to boost their visibility on search engines in order to lead potential victims to malware on a malicious site that poses as Google Drive. 

ZDNet Recommends

According to Microsoft, SolarMarker is a backdoor malware that steals data and credentials from browsers. SEO poisoning is an old-school technique that uses search engines to spread malware. In this case, the attackers are using thousands of PDFs filled with keywords and links that redirect the unwary across multiple sites towards one that installs the malware. “The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”,” said Microsoft Security Intelligence in a tweet.    Crowdstrike raised an alarm about SolarMarker in February for using the same SEO poisoning tactics. The malware predominantly targeted users in North America. The attackers were hosting pages on Google Sites as lures for the malicious downloads. The sites were promoting document downloads and were often highly ranked in search results, again to boost search ranking. Microsoft researchers found the attackers have started using Amazon Web Services (AWS) and Strikingly’s service as well as Google Sites. 

“When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga,” Microsoft said. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file.” This typically leads to the SolarMarker/Jupyter malware, but Microsoft has also seen random files being downloaded as part of an apparent method to dodge detection, it added. It exfiltrates stolen data to a command-and-control server and persists by creating shortcuts in the Startup folder as well as modifying shortcuts on the desktop.

“Microsoft 365 Defender data shows that the SEO poisoning technique is effective, given that Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments,” Microsoft said. More

Ransomware is one of the key cybersecurity threats facing the UK and the cyber criminal groups behind them are becoming more dangerous, the UK’s cyber chief is to warn.Lindy Cameron, the head of the National Cyber Security Centre (NCSC) will say that the organisation – the cyber security arm of spy agency GCHQ – is committed to tackling the threat of ransomware and “supports victims of ransomware every day” but that a coordinated response is required to combat the growing threat.While state-sponsored hacking campaigns pose a “malicious strategic threat to the UK’s national interests”, it’s cyber crime – and in particular ransomware – which has become the biggest threat.”For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals,” Cameron is due to say in a speech to the Royal United Services Institute (RUSI) defence and security think tank.SEE: Network security policy (TechRepublic Premium)Recent incidents like ransomware attacks against like Colonial Pipeline and meat processor JBS, as well as the ransomware attack against the Irish healthcare service, have demonstrated how disruptive these cyber criminal campaigns can be to critical services.Meanwhile, UK organisations including businesses, government agencies, schools and universities have all fallen victim to ransomware attacks this year.

Not only are cyber criminal ransomware groups encrypting networks and demanding a significant payment in exchange of the decryption key, now it’s common for them to also steal sensitive information and threaten to release it unless a ransom is paid – often leading victims to feel as if they have no choice but to give in to the extortion demands.”As the business model has become more and more successful, with these groups securing significant ransom payments from large profitable businesses who cannot afford to lose their data to encryption or to suffer the down time while their services are offline, the market for ransomware has become increasingly professional,” Cameron will say.Ransomware is successful because it works; in many cases because organisations still don’t have the appropriate cyber defences in place to prevent cyber criminals infiltrating their network in the first place in what the NCSC CEO described as “the cumulative effect of a failure to manage cyber risk and the failure to take the threat of cyber criminality seriously”.But another reason it has become such a problem, particularly for the West, is because many of the most successful ransomware groups are working out of what Cameron described as “overseas jurisdictions who turn a blind eye or otherwise fail to act to pursue these groups”.Russia in particular is thought to be home to a number of cyber criminal ransomware groups, but the government doesn’t act on their activity because they’re not harming Russian businesses or citizens.”These criminals don’t exist in a vacuum. They are often enabled and facilitated by states acting with impunity,” she said. SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upHowever, Cameron will say it’s possible to fight against the blight of ransomware by combining the efforts of cybersecurity experts, the government and with wider international cooperation.”In some respects, our response to ransomware is straightforward: we need to continue to build the UK’s cyber resilience so that attacks cannot reach their targets in the first place,” she said.”But in many other respects it requires a whole of government response. This starts with the efforts to prevent the activities of the groups behind these damaging attacks”.However, ransomware isn’t just a problem for the UK alone and Cameron urged the importance of working with other countries to tackle what’s truly an international problem.MORE ON CYBERSECURITY More