Information Technology

The United States and other G7 countries have warned countries that allow ransomware groups to operate from within their borders, and don’t make any efforts to deter their actions, that they will be held accountable for their lack of action. The warning comes as the leaders of the G7 group of countries have jointly announced a commitment to fight what they described as the global challenge of ransomware.

ZDNet Recommends

The declaration – made by Canada, France, Germany, Italy, Japan, the United Kingdom and the United States at the G7 Summit in Cornwall, England – follows a string of high-profile ransomware attacks. SEE: Network security policy (TechRepublic Premium) Organisations that have had their networks encrypted by ransomware in recent weeks include Colonial Pipeline and meat processor JBS. Colonial paid cyber criminals over $4 million in Bitcoin in exchange for the decryption key for DarkSide ransomware, while JBS paid $11 million after getting hacked and having their network encrypted with REvil ransomware. Such is the extent of the problem that US President Joe Biden and the other G7 leaders have vowed to combine forces in an effort to combat ransomware attacks. “We’ve agreed that we’re going to work together to address cyber threats from state and non-state actors like criminal ransomware networks, and hold countries accountable that harbor criminal ransomware actors who don’t hold them accountable,” said President Biden.

A joint statement published following the G7 Summit specifically calls out Russia to do more when it comes to stopping cyberattacks and to “identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cyber crimes”. Many of the most notorious ransomware gangs are suspected to operate out of Russia and the consensus among cybersecurity experts is that Russian cyber criminals are allowed to conduct their operations, so long as they don’t target Russians. SEE: This new ransomware group claims to have breached over 30 organisations so far The G7 countries have also vowed to ensure that organisations – particularly those operating critical infrastructure – are secure against cybersecurity threats like ransomware. “The international community—both governments and private sector actors—must work together to ensure that critical infrastructure is resilient against this threat, that malicious cyber activity is investigated and prosecuted, that we bolster our collective cyber defenses, and that States address the criminal activity taking place within their borders,” said a White House statement. “The United States and our G7 partners are committed to working together to urgently address the escalating shared threat from criminal ransomware networks,” the statement added.

MORE ON CYBERSECURITY More

The US Securities and Exchange Commission (SEC) has charged a Florida national for his alleged role in three separate securities fraud scams. 

Edgar Radjabli, a former dentist, controlled Apis Capital Management LLC., marketed as an advisory firm that the SEC says was unregistered. Through this company, Radjabli allegedly controlled Apis Tokens as a managing partner, an offering called the “first tokenized hedge fund” which was based on the Stellar platform.  Apis Tokens were touted as a way for investors to access the ACM Market Neutral Volatility Strategy fund by converting cryptocurrency including Bitcoin (BTC) and Ethereum (ETH) into Apis Tokens and stakes in the fund.  “The offering model of the Apis Token is different from a traditional ICO, as it allows investors to subscribe throughout the month, with the funds collected deployed at month’s end and the tokens simultaneously issued to investors,” the company claimed. In June 2018, Apis Capital said that $1.7 million in funds had been raised and was “allocated to the strategy.” However, the SEC says that no money at all had been secured. By November, the organization said it intended to buy the blockchain AI division from White Company, and in December, Apis Capital claimed that the firm’s investment arm, Apis Ventures, was planning to buy Veritone for $200 million. 

The claimed deal placed Veritone shares at $10.26 per share, a 93% premium over the closing price on December 7, 2018.  “We are committed to completing this transaction and remain willing to work cooperatively with Veritone,” Radjabli said in a press release at the time. “Our vision for the company involves significant synergy with our growing portfolio of AI and machine learning investments, opening up new opportunities for Veritone’s technology.” Veritone is a publicly traded developer of operating systems for artificial intelligence (AI) solutions.  According to US regulators, “in truth, Radjabli and Apis Capital lacked the financing or any reasonable prospect of obtaining the financing necessary to complete the deal.” Instead, by hyping investor interest with a 93% premium price offering, shares surged — and Radjabli allegedly claimed $162,800 in profit by trading Veritone stock through both Apis Capital and an affiliated fund.  The fraudulent fund claim and the pump-and-dump stock scheme were also joined by a third scam allegedly pulled off by the ex-dentist, who also managed to raise close to $20 million from over 450 investors in an unregistered, fraudulent securities offering. The SEC says that Radjabli launched the offering through My Loan Doctor and told traders that cash raised would be used to find and sell on loans made to healthcare professionals to large investors. Instead, however, the bulk of the funds were allegedly invested in uninsured and unsecured loans, and close to $1.8 million was sent to Apis Capital. Radjabli, Apis Capital, and Loan Doctor have been charged with violating antitrust and securities laws.  A settlement has been agreed, subject to court approval, in which Radjabli and the two entities must pay $600,000 in damages. Conduct-based injunctions would also be put in place and Radjabli would be banned from penny stocks and the securities industry as a whole, if accepted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Volkswagen has revealed a data breach impacting over 3.3 million customers.

The majority of impacted individuals are either current or prospective buyers for Audi vehicles. 163,000 individuals are in Canada, whereas the rest are in the United States. On Friday, the automaker said that a compilation of data used for sales and marketing purposes between 2014 and 2019 was left unsecured and exposed online “at some point” between August 2019 and May 2021, although the exact timeline has not been established.  An associate vendor has been identified as the source of the breach but the company has not been named. Audi and Volkswagen were alerted that “an unauthorized third party” may have accessed this information on March 10.  Volkswagen says that first and last names, personal and/or business mailing addresses, email addresses, and phone numbers may have been exposed in the breach, alongside information concerning “vehicle[s] purchased, leased, or inquired about,” such as vehicle ID numbers, makes, models, years, and colors. Volkswagen has informed relevant authorities and law enforcement of the data breach. 

Reuters reports that regulators have been told that the majority of records only relate to phone numbers and email addresses, however, roughly 90,000 Audi customers and potential buyers in the US may have had purchase and lease eligibility data compromised, such as driving license numbers, dates of birth, Social Security numbers, account or loan numbers, and tax identification numbers.  Individuals whose sensitive data has been exposed will be offered free credit monitoring through an enrollment code.  The company says that anyone notified, but not offered this code, did not have information deemed sensitive compromised and so should stay alert for phishing emails or spam based on any of the basic data leaked.  Emails or letters may also be sent to those involved in the security incident who were not direct customers or prospective buyers.  “In a limited number of cases, an Audi or Volkswagen customer or interested buyer provided names and contact information for a relative or personal reference to an authorized dealer for purposes of seeking financing of some kind,” notification partner IDX says.  Volkswagen says that external cybersecurity experts have been pulled in to investigate the incident.  “Audi and Volkswagen are working with third-party cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor involved,” the firms say.  A help hub has been set up by IDX for those who believe they have been impacted by the data breach.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack. 

The San Francisco-based DevOps tool provider said in a blog post that the new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS. The uploader, used in the same manner as the existing Bash uploader, is used to push coverage data and updates to products during development cycles. The uploader is currently in the Beta stage and so is yet to be fully integrated, but Codecov says that “most standard workflows that are currently accomplished with the Bash Uploader can be accomplished with the new uploader.” Codecov’s Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15. By infiltrating Codecov’s network and hijacking the Bash uploader, the threat actors ensured that rather than pushing “healthier” code during project updates, as Codecov intends, users were, instead, subject to the theft of information stored in their continuous integration (CI) environments. The attack may have also allowed the attackers to “raid additional resources,” according to investigators brought in after the breach was made public — including credentials, potentially leading to wider network compromise in some cases. It is thought that hundreds of organizations may have become embroiled in the security incident. Known victims include Rapid7, Monday.com, Mercari, and Twilio. 

Codecov’s Bash uploader range — the Codecov-actions uploader for Github, CircleCl Orb, and Bitrise Step — were all impacted.  The company says that with the introduction of the new uploader, all other language-specific uploaders will be depreciated, with “special attention” paid to the Bash uploader at fault.  Codecov has been working on the NodeJS uploader for eight months, originally to reduce the increasing complexity of facilitating uploads and maintenance as the Codecov customer base increased.  Now that the Bash script is tied to a severe security incident, however, the upgrade has become an urgent necessity.  “The distribution mechanism of choice (i.e., curl pipe to bash) while incredibly convenient, is notoriously problematic from a security perspective,” Codecov said. “The weaknesses of the curl | bash approach came to the forefront during [the] recent security event.” The new uploader is now available for public use under the Beta umbrella and includes a more secure, verifiable distribution architecture, protections against unauthorized code modification, and an improved CI/CD pipeline for conducting automated testing of the uploader on Windows, Linux, and macOS. Codecov hopes to depreciate the Bash uploader from November, with a full sunset of the system planned for after February 1, 2022. The organization has also outlined other security improvements in the wake of the attacks.    Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybersecurity readiness firm Immersive Labs has announced a $75 million Series C round, with investments from Citi Ventures, Menlo Ventures and follow-on from Goldman Sachs Asset Management. The company helps organizations analyze their cybersecurity “across technical and non-technical teams” while also providing tools to help improve cyber training. Immersive Labs is now marketing a new “Cyber Workforce Optimization” platform that will strive to provide a slate of services related to identifying cybersecurity gaps in an enterprise. “From crisis management with executives, to secure software development amongst engineers and ensuring compliance in legal teams, the platform will use data insights to understand where skills are required and inject role specific training,” the company said of their services in a statement. “It will also enable board-level metrics and benchmarking.” The company has already received $48 million in venture funding and the platform is being used at companies like Vodafone and HSBC as well as organizations like the NHS in the UK.”While technology has traditionally been used to plug this gap, it is incapable of making nuanced decisions, thinking laterally, instilling culture, showing leadership or taking into account numerous other crucial factors,” James Hadley, CEO of Immersive Labs, told ZDNet. “We believe human intelligence deserves to reclaim its place alongside Artificial Intelligence in cybersecurity to help organizations build resilience and reduce risk.”Hadley said cybersecurity knowledge and skills should no longer be the “preserve of a few technical people hidden away in a back office.” 

He added that the new funding will allow the company to add “new analytical capabilities and content to provide a more detailed picture of skills across the growing breadth and depth of cyber exposure facing organizations, helping them measure and manage risk better.” Cyber knowledge, skills and capabilities, he said, are growing in demand across entire organizations and not only do security teams need continual upskilling, but developers need to know how to write secure code and teams need to hire the right talent. “This creates a need for skills in both technical and non-technical teams in a way that keeps pace with the attackers. To do this, first you need to understand where these gaps lie. Our platform is capable of collecting this information using our own online learning environments, where people are dropped into cybersecurity scenarios and exercises that cover all topics and roles, from a CEO wargaming a ransomware attack with their whole team to a front-line analyst individually reverse engineering malware,” Hadley explained. “By collecting information on who has been upskilled against which threats specific to their role and when, and cross-referencing this with metadata, we can provide an organization-wide view of skills capabilities.” The platform offers training sessions and gamified environments to help fill any skills gaps that are discovered during the analysis process. “This is a far more cost-effective and efficient way of training, speeding up the skills cycle in a way that is more relevant to today’s remote workforce and the threat at hand. It will also allow CISOs to report on skills levels to the board to make them a bigger part of overall business cyber resilience,” Hadley added. “At the heart of our platform are labs and crisis scenarios: gamified story-driven exercises accessible on-demand through the browser and suitable for a range of different roles and technical abilities. These are informed by emerging threat intelligence and are compiled by our team of in-house experts who specialize in everything from cyber crises to application security to encryption. New labs are created continually, sometimes within hours of a new threat emerging.”The company will use the recent funding influx to expand its footprint internationally and bring its global headcount to 600 within the next two years. There are also plans for regional operation centers in Europe and the Asia Pacific region. The company currently has headquarters in Boston and Bristol, with about 200 total employees. Venky Ganesan, a partner at Menlo Ventures, said the cybersecurity labor shortage made it important for organizations to get every employee up to speed on the latest threats. “Immersive Labs helps large organizations confront this head-on by combining smart data analysis with targeted training. The cybersecurity threat will only increase, making Immersive Labs future proof as they seek to help large enterprises educate and arm themselves against ever-evolving threats,” Ganesan said. Other investors, like Arvind Purushotham from Citi Ventures, echoed those ideas, noting that Immersive Labs’ work “creates visibility into and optimizes one of the most valuable assets in cyber defense, the human defenders.”  More

A big part of making security work is educating users about the importance of it, and how quickly (and usually effortlessly) the bad guys can take advantage of our mistakes.This is exactly what iVerify does. Must read: I just found my lost AirTag… you’ll never guess where it went

First and foremost, iVerify is a security scanner that makes sure you are making use of the basic security features such as Face/Touch ID, Screen Lock, and are running the latest iOS version. It also runs a device scan that looks for security anomalies and gives you a heads up if something seems out of place.It can be very hard to spot if an iPhone has been hacked, so having a tool installed that keeps an eye out for the telltale signs of intrusion offers piece of mind.iVerify is also packed with guides that looks at the many different security features built into iOS, and how you can take advantage of them to secure your iPhone (or iPad).There’s also a whole raft of other cool stuff, from information on securing your Apple, Facebook, Google, Instagram, Linkedin, and Twitter accounts, information on activating DNS over HTTPS, a periodic reboot reminder (a simple way to protect yourself from remote exploits), and even a page that offers the latest security news.

$3 at Apple Store

iVerify is a brilliant app that gets regular updates to keep the information fresh and up-to-date.iVerify is not free — it costs $2.99 — but it’s truly worth the money if you take security seriously. Even if you know your around iOS well, you’re likely to learn a few new things from going through all the guides contained in this app.iVerify requires iOS 13.0 or later or iPadOS 13 or later, and is compatible with iPhone, iPad, and iPod touch. More

iOS Haptic Touch

Just
long-press
on
an
app
and
see
what
pops
up.
It
might
be
useful,
it
might
not
be.
It
depends
on
the
app!
You
can
even
do
the
same
with
built-in
iOS
features,
such
as
Control
Center.
… More

Avaddon ransomware group, one of the most prolific ransomware groups in 2021, has announced that they are shutting the operation down and giving thousands of victims a decryption tool for free. BleepingComputer’s Lawrence Abrams said he was sent an anonymous email with a password and link to a ZIP file named, “Decryption Keys Ransomware Avaddon.” The file had decryption keys for 2,934 victims of the Avaddon ransomware. The startling figure is another example of how many organizations never disclose attacks, as some reports have previously attributed just 88 attacks to Avaddon. Abrams worked with Emsisoft chief technology officer Fabian Wosar and Coveware’s Michael Gillespie to check the files and verify the decryption keys. Emsisoft created a free tool that Avaddon victims can use to decrypt files. Ransomware gangs — like those behind Crysis, AES-NI, Shade, FilesLocker, Ziggy — have at times released decryption keys and shut down for a variety of reasons. A free Avaddon decryption tool was released by a student in Spain in February but the gang quickly updated their code to make it foolproof again.  “This isn’t new and isn’t without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations,” Wosar told ZDNet. “Ultimately, the key database we obtained suggests that they had at least 2,934 victims. Given the average Avaddon ransom at about $600,000 and average payment rates for ransomware, you can probably come up with a decent estimate of how much Avaddon generated.”

Wosar added that the people behind Avaddon had probably made enough money doing ransomware that they had no reason to continue. According to Wosar, ransom negotiators have been noticing an urgency when dealing with Avaddon operators in recent weeks. Negotiators with the gang are caving “instantly to even the most meager counter offers during the past couple of days.””So this would suggest that this has been a planned shutdown and winding down of operations and didn’t surprise the people involved,” Wosar explained. Data from RecordedFuture has shown that Avaddon accounted for nearly 24% of all ransomware incidents since the attack on Colonial Pipeline in May. An eSentire report on ransomware said Avaddon was first seen in February 2019 and operated as a ransomware-as-a-service model, with the developers giving affiliates a negotiable 65% of all ransoms. “The Avaddon threat actors are also said to offer their victims 24/7 support and resources on purchasing Bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom,” the report said. “What’s interesting about this ransomware group is the design of its Dark Web blog site. They not only claim to provide full dumps of their victims’ documents, but they also feature a Countdown Clock, showing how much time each victim has left to pay. And to further twist their victims’ arms, they threaten to DDoS their website if they don’t agree to pay immediately.” 
DomainTools
The group has a lengthy list of prominent victims that include Henry Oil & Gas, European insurance giant AXA, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, the Indonesian government’s airport company PT Angkasa Pura I, Acer Finance and dozens of healthcare organizations like Bridgeway Senior Healthcare in New Jersey, Capital Medical Center in Olympia, Washington and others. The gang made a note of publishing the data stolen during ransomware attacks on its dark web site, DomainTools researcher Chad Anderson told ZDNet last month. Both the FBI and the Australian Cyber Security Centre released notices last month warning healthcare institutions about the threat of Avaddon ransomware. 
Australian Cyber Security Centre
The notice said “Avaddon threat actors demand ransom payment via Bitcoin (BTC), with an average demand of BTC 0.73 (approximately USD $40,000) with the lure of a decryption tool offered (‘Avaddon General Decryptor’) if payment is made.”The group was also implicated in multiple attacks on manufacturing companies across South America and Europe, according to the Australian Cyber Security Centre. Cybersecurity firm Flashpoint said that alongside REvil, LockBit, and Conti, Avaddon was one of the most prolific ransomware groups currently active.  Digital Shadows’ Photon Research Team told ZDNet in May that a forum representative for the Avaddon ransomware took to the Exploit forum to announce new rules for affiliates that included bans on targeting “the public, education, healthcare, and charity sectors.” The group also banned affiliates from attacking Russia or any other CIS countries. US President Joe Biden is expected to press Russian President Vladimir Putin on ransomware attacks at a summit in Geneva on June 16.   More