Information Technology

The Australian government has flagged its intention to mandate the Essential Eight mitigation strategies, despite many entities not fully wrapping their heads around the Top Four. Since 2013, non-corporate Commonwealth entities (NCCEs) have been required to undertake an annual self-assessment against the Top Four strategies, which are mandated by the Attorney-General’s Department (AGD) Protective Security Policy Framework (PSPF). Entities report their overall compliance with mandatory requirements to AGD.The Joint Committee of Public Accounts and Audit (JCPAA) last year reviewed a pair of reports from the Australian National Audit Office (ANAO). A report on this probe from the JCPAA in December asked AGD whether it was feasible to mandate the Essential Eight, a call the committee made in October 2017, as well as report back on why any entities have yet to implement the Top Four mandated in April 2013.See also: ASD Essential Eight cybersecurity controls not essential: CanberraIn its response [PDF] to the JCPAA, AGD said it remains committed to maintaining robust protective security standards to ensure the PSPF supports entities to manage their risks.”The department has carefully considered … and has held detailed discussions with the [Australian Cyber Security Centre] on the cybersecurity settings in the PSPF,” AGD wrote.”On this basis, the department will recommend an amendment to the PSPF to mandate the Essential Eight.

“This reflects the ACSC’s advice that entities should progress maturity across all eight strategies … rather than focusing efforts on a smaller subset like the Top Four, as this provides a greater level of protection.”AGD said such an approach has been endorsed by the Government Security Committee, which is an interdepartmental committee that provides strategic oversight of protective security policy.Although keen to make the Essential Eight essential, AGD said doing so would have an impact on the entities required to implement them.”As a result, the department has commenced consultation with the 98 NCCEs about the implications of this proposal,” it added. “The department expects responses from NCCEs by the end of June 2021.”It is also preparing draft amendments to the PSPF and said it is currently considering timeframes for implementation.Another one of the JCPAA’s recommendations was that AGD update the committee on its benchmarking process for Commonwealth entities’ reported compliance with cybersecurity requirements. See also: Labor wants to name and shame poor Commonwealth entity cyber postureANAO in March published findings of an investigation into the effectiveness of cybersecurity risk mitigation strategies implemented by seven government entities, and declared none have fully implemented all the mandatory benchmarks and that self-reporting was weak.AGD told the JCPAA it is “exploring options, including moderation, to further support entities to improve the accuracy of their self-assessments”.”In addition, the department is also reviewing the existing maturity model to ensure it is fit for purpose,” it said.HERE’S MORE More

The Australian Department of Health has asked for the government to provide more guidance on how to get de-identification right, hoping such advice will be provided when the Privacy Act 1988 receives a facelift.Health, in a submission [PDF] to a review of the Act underway by the Attorney-General’s Department, said the de-identification of data, given the risk of re-identification, is a complex area.”Particularly given the burgeoning demand for access to public sector data at very granular levels, and for linkage with other datasets,” it wrote. The department said that while the Office of the Australian Information Commissioner (OAIC) has published guidance materials on de-identification, data custodians may still need to seek specialist expertise in order to be satisfied that the likelihood of re-identification is low, “particularly in light of advances in data analytic technologies”.”The department is of the view that any changes in the Privacy Act that require additional protections in relation to de-identified, anonymised, and pseudonymised information … will need to be supported by appropriate guidance and expertise in order for implementation to be effective,” it said.See also: Nearly 12-months old COVIDSafe legislation cited as cause of Privacy Act review delaysThe department raised these concerns alongside the issue of genomic information.

“Genomic information will only fall within the scope of the Privacy Act if it meets the definition of personal information in s 6(1) of the Privacy Act, which can be challenging particularly in the context of data sharing and linkage activities necessary for genomics,” it explained.”There is uncertainty and inconsistency in the application of the current test as to whether genomic information is ‘about’ an individual who is ‘reasonably identifiable’, in which case it falls within scope of Privacy Act.”Health said it is therefore difficult to assess when genomic information may render a person reasonably identifiable, particularly as data moves between different collections with different data linkage possibilities.”Such lack of clarity is likely to present a barrier to the uptake of clinical genomic research and services, as individuals may be unwilling to share their genomic information,” it said.On the idea of balancing the provision of adequate information to individuals and minimising regulatory burden, Health noted there are currently up to 10 different requirements that could be included in Australian Privacy Principle (APP) 5 — APP 5 requires an APP entity that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters.”The department would be broadly supportive of appropriate measures to simplify this process, including additional guidance about the scope of APP 5 notices, the role of overarching privacy notices in making individuals aware of APP 5 matters, and the development of a standard form of words to assist APP entities in complying with APP 5 obligations,” it wrote.”In addition, the department would further support any appropriate measures that assist in clarifying how the primary purpose of collection should be interpreted, particularly where there could be multiple purposes for which personal information is being collected.”The department said it would welcome any appropriate measures aimed at simplifying the notification process relevant to APP 5, in particular the development of a standardised framework of notice.It also said requirements to obtain more specific and explicit consent in relation to the purposes for which information is collected, used, or disclosed would provide the department with greater immediate clarity around obligations for the handling of personal information.”The ability to use or disclose personal information for secondary purposes unforeseen at the time of collection provides significant benefit to both government and the Australian public by, for example, facilitating continuous improvement and evaluation of policy implementation and reducing the risk of individuals being disadvantaged in service delivery by not having provided the appropriate consent,” it added. “The department is cognisant of the need to guard against function creep while at the same time offering some measure of flexibility with respect to unforeseen but beneficial secondary purpose uses or disclosures.”MORE FROM THE PRIVACY ACT REVIEW More

Crypto market capitalization reached nearly $2 trillion in March and there has never been more interest in cryptocurrency globally. But with the influx of investment has come a variety of cybersecurity risks to cryptocurrency wallets and evolving threats to exchanges. The most common attack methods dominating conversation in cybercriminal forums are reverse proxy phishing, cryptojacking, dusting and clipping, according to a new study from Digital Shadows. The company’s Photon Research Team scanned the dark web to sort out the most popular techniques used to either steal or mine for cryptocurrency. Many of the widely used tactics, like reverse proxy phishing, revolve around getting past two-factor authentication by effectively snooping in on traffic between two people. Cryptojacking has long been a popular scam leveraged by cybercriminals, allowing an attacker to use a victim’s device to mine cryptocurrency. Clipping is when attackers manage to steal cryptocurrency while it is being sent during a transaction and crypto dusting involves “deanonymizing your crypto wallet by sending tiny amounts of crypto ‘dust’ to multiple wallets,” the report described.All of the methods are riffs on brands of cyberattacks used in other contexts outside of cryptocurrency. Chris Morales, CISO for Netenrich said it was “the same game with a different name,” with attackers moving on from financial documents and bank accounts to digital wallets and crypto mining. “The method is still social engineering with phishing and malware for mining on your hardware. I see names like dusting and I think about credit card skimming,” Morales said. “I see clipping and I think of URL redirecting.”The study notes that even cybercriminals themselves deal with thefts from their own wallets. 

“We’ve recently seen a few forum threads where threat actors complain about having their virtual currency stolen,” the report said.  “One user even held an ‘ask me anything’ session after they lost ‘100k’ due to ‘being phished’ in May 2021. Another wrote, ‘I want my currency back, this is god damn bad,’ after their Etherium was stolen.”A report from Atlas VPN in January found that cybercriminals stole “nearly $3.78 billion” in cryptocurrency throughout 2020. Other data from Slowmist Hacked listed 122 attacks in 2020, with most targeting cryptocurrency exchanges, Bitcoin wallets, and decentralized apps running on the Ethereum platform. Coalfire director Karl Steinkamp noted that software wallets will only be as strong as their software and security development processes, as well as how the end user secures it. “I wouldn’t be surprised to see vulnerabilities in some of the software wallet providers over time that allows these wallets to be accessed before being patched or updated. The same is not generally true for hardware wallets as these tend to be purpose built and would require a more sophisticated skill set to compromise,” Steinkamp added. James McQuiggan, security awareness advocate at KnowBe4, explained to ZDNet that using phishing to steal cryptocurrency will be the easiest way for cybercriminals to get money from a victim.  “Clicking the link in a phishing email is like having a high-tech security system at home and leaving the door open when you click on the link or open the attachment from the phishing email. Unfortunately, if you are not monitoring your crypto wallet or computer, you might overlook the cyber criminal rooting around on your computer,” McQuiggan said. “Cryptojacking is another attack method that cyber criminals utilize to make money without doing a lot of work. But, again, phishing becomes the easiest way for cyber criminals to work their way through a network and find servers to run their cryptomining to generate the currency.” More

News emerged on Tuesday morning that iConstituent, a platform built to facilitate communication between politicians and local residents, has been dealing with a ransomware attack. iConstituent did not respond to requests for comment, but Punchbowl News reported that almost 60 members of Congress use the platform. Chief Administrative Officer of the House Catherine Szpindor told the news outlet that they were notified of a ransomware attack on iConstituent’s e-newsletter system, which House members buy access to. 

ZDNet Recommends

But Szpindor added that no data from the House had been taken or accessed and the network used by the House was not affected. Sophos’ Senior Security Advisor John Shier said the attack was yet another example of the way ransomware actors use supply chains as a way of gaining access to bigger targets. “Regardless of what you do, you’re in somebody’s supply chain, whether you’re providing services directly to another party or you’re part of a larger organization or mechanism that provides services or products to other people,” Shier said. The platform is also used widely across state governments in Nevada, Georgia, Hawaii and cities like Los Angeles. The New York State Assembly also has a contract with the company for services. The attack was revealed as the White House and law enforcement agencies take a more forceful stance on ransomware after devastating attacks on the country’s biggest meat processor and one of the country’s largest oil and gas providers. 

The tough rhetoric has done little to stop cybercriminals from levying a wide variety of attacks on institutions across state and city governments. The New York City Law Department was hacked on Sunday, forcing IT administrators to shut off access to certain systems for more than 1,000 employees. The organization handles all of the city’s legal matters and carries an enormous amount of personal information about the city’s employees, including Social Security numbers, addresses and more. Mayor Bill De Blasio appeared on television and said there has been no ransom request or compromise of city data, but investigators are still assessing the situation.Rajiv Pimplaskar, chief risk officer for Veridium, told ZDNet that New York has one of the nation’s top IT and cyber security infrastructure and organizations, demonstrating that no matter how good you are, no one is immune from breaches. Both Shier and Pimplaskar added that government agencies are ripe targets because of how much personal information they carry and because they are often using outdated systems and technology. “Departments that deal with sensitive information and customer data are prime targets for bad actors as they represent a honeypot of Personally Identifiable Information that can be a target in its own right or in turn be misused for social engineering and secondary attacks,” Pimplaskar said.  More

Microsoft has released 50 security fixes for software to resolve critical and important issues including six zero-days that are being actively exploited in the wild. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) bugs, denial-of-service issues, privilege escalation, and memory corruption issues.  In total, when it comes to severity, five of the vulnerabilities are considered critical and 45 are deemed important.  Products impacted by June’s security update include Microsoft Office, .NET Core & Visual Studio, the Edge browser, Windows Cryptographic Services, SharePoint, Outlook, and Excel.  Also: The zero-day vulnerabilities that Microsoft has tracked as being actively exploited, now patched in this update, are:  CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability, CVSS 7.5CVE-2021-33739: Microsoft DWM Core Library Elevation of Privilege Vulnerability, CVSS 8.4CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2CVE-2021-31201: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability, CVSS 5.5CVE-2021-31956: Windows NTFS Elevation of Privilege Vulnerability, CVSS 7.8Another zero-day reported by Microsoft, but not actively exploited in the wild, is CVE-2021-31968. Issued a CVSS score of 7.5, this flaw, now patched, could be exploited to trigger denial-of-service. 

Eight of the vulnerabilities were reported by the Zero Day Initiative (ZDI). Microsoft has also acknowledged reports from Google’s Threat Analysis Group, Google Project Zero, Nixu Cybersecurity, Check Point Research, FireEye, Kaspersky, and others.  “While these vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organizations apply these patches as soon as possible. Unpatched flaws remain a problem for many organizations months after patches have been released,” Tenable commented. Last month, Microsoft resolved 55 security flaws, four of which were deemed critical in the May batch of security fixes. Three zero-day vulnerabilities were also patched at the same time, but thankfully, none appear to have been exploited in the wild.  A month prior, the tech giant tackled 114 vulnerabilities during April’s Patch Tuesday. The US National Security Agency (NSA) was credited with reporting two remote code execution (RCE) vulnerability flaws (CVE-2021-28480 and CVE-2021-28481) in Exchange Server. More

Half of accounts compromised in phishing attacks are manually accessed within 12 hours of the username and password being leaked, as cyber criminals look to exploit stolen credentials as quickly as possible.

ZDNet Recommends

Cybersecurity researchers at Agari planted thousands of credentials which were made to look like they belonged to real users, but were in fact of under the control of the researchers, onto websites and forums popular for dumping stolen usernames and passwords. The false credentials – seeded over the course of six months – were designed to look like compromised logins for well-known cloud software applications.Researchers found that the accounts are actively accessed within hours of the login credentials being posted online on phishing websites and forums.”About half of of the accounts were accessed within 12 hours of us actually seeding the sites. 20% are accessed within an hour and 40% are accessed within six hours. That really shows you how quickly a compromised account is exploited,” Crane Hassold, senior director of threat research at Agari told ZDNet. Almost all of the accounts were accessed manually. It might be a mundane task, but ultimately, it proves useful for cyber criminals, as they can accurately test if the credentials do really work.”It’s a pretty tedious process I’m sure on their end, but they’re getting a lot of good information from it and they’re using the accounts in a variety of different ways for different types of malicious activity,” said Hassold.

For example, by accessing an account, an attacker can attempt to find sensitive information in people’s email inboxes, or even their cloud storage software, which could be stolen and either used to help further attacks or sold on.There’s also the possibility that the attackers could use the compromised accounts to conduct other attacks, such as phishing or Business Email Compromise (BEC) attacks, using the compromised account in order to launch further campaigns.One attacker attempted to use a compromised account to conduct BEC attacks against the real estate sector, launching emails that would have attempted to redirect victims to a website to steal login details of real estate companies. However, in this case, because the fake credentials were controlled by researchers, none of the attempted emails actually arrived at their intended destinations.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

However, it demonstrates how cyber criminals take compromised credentials and attempt to exploit them in order to gain access to additional accounts.”Where you have credential phishing, it leads to a compromised account, which leads to more credential phishing campaigns which leads to more compromised accounts and so on,” said Hassold.While compromised accounts are accessed quickly, the research found that they’re often abandoned after about a week – although by this time it’s likely that’s because the attackers have moved onto other accounts, perhaps after using the initial account as a stepping stone to get there. Organisations can take precautions to defend their users, cloud applications and the wider network from phishing and other attacks. One of these is having appropriate defences in place, like anti-virus software or spam filter. Meanwhile, using multi-factor authentication can help prevent compromised accounts from being exploited, as it makes it much harder for an attacker to use – while also alerting the victim that something is wrong. MORE ON CYBERSECURITY More

Researchers have provided a case study on Nefilim, a ransomware operator that uses “double-extortion” tactics to ensure payment from victim organizations. 

Ransomware is a form of malware that is created to encrypt compromised systems. Once it lands on a vulnerable machine — whether through a phishing message, software vulnerability, stolen access credentials, or other means — files and drives will be encrypted and can only be recovered with a decryption key. The decryption key is the carrot dangled in front of victims, who are usually promised a key and the means to restore their systems in return for payment. When it comes to enterprise players, ransom demands can reach millions of dollars — and there is never a guarantee a key will be issued or will be technically suitable for restoration efforts. The phrase “ransomware” has become a familiar one to the general public as week-on-week we hear of more cases.  In recent months, Colonial Pipeline suffered a ransomware outbreak that ended up causing fuel shortages across parts of the United States, and following an infection at Ireland’s national health service, the HSE is still experiencing “significant” disruption.   What makes ransomware different is the possibility of “double-extortion,” a relatively new tactic designed to ramp up the pressure on victims to pay up. During a cyberattack, ransomware operators including Maze, Nefilim, REvil, and Clops will steal confidential data and threaten to release or sell this information on a leak website.   On Tuesday, Trend Micro published a case study examining Nefilim, a ransomware group the researchers believe is, or was, associated with Nemty originally as a ransomware-as-a-service (RaaS) outfit.

Nemty appeared on the scene in 2019, but together with Sentinel Labs, Trend Micro says that Nefilim originated in March 2020.  Both actors, tracked by the firm as “Water Roc,” offered RaaS subscription services based on a 70/30 split, with margins reduced to 90/10 when high-profile victims were snagged by affiliates.  Trend Micro says that Nefilim often focuses on exposed Remote Desktop Services (RDP) services and public proof-of-concept (PoC) exploit code for vulnerabilities. These include CVE-2019-19781 and CVE-2019-11634, both of which are known bugs in Citrix gateway devices that received patches in 2020.  However, when unpatched services are found, exploit code is launched and initial access is obtained. Nefilim begins by downloading a Cobalt Strike beacon, Process Hacker — used to terminate endpoint security agents — the Mimikatz credentials dumper, and additional tools.   In one case documented by the team, Nefilim was also able to take advantage of CVE-2017-0213, an old vulnerability in Windows Component Object Model (COM) software. While a patch was issued back in 2017, the bug was still present and allowed the group to escalate their privileges to administrator levels.  The ransomware operators may also leverage stolen or easily-forced credentials to access corporate networks and for lateral movement.  MEGAsync may be used to exfiltrate data during attacks. Nefilim ransomware will then be deployed and will begin encrypting content. Extensions vary, but the group has been linked to the extensions .Nephilim, Merin, and .Off-White.  A random AES key for each file queued for encryption is generated. The malware will then decrypt a ransom note using a fixed RC4 key which provides email addresses for victims to contact them concerning payment. “To enable file decryption in case the victim pays the ransom amount, the malware encrypts the generated AES key with a fixed RSA public key and appends it to the encrypted file,” the researchers say. “To date, only the attackers can decrypt this scheme as they alone own the paired private RSA key.” When it comes to victims, Nefilim has been connected most often with attacks against organizations generating an annual revenue of $1 billion or more; however, the malware operators have also struck smaller companies in the past.  The majority of victims are in the US, followed by Europe, Asia, and Oceania.  “Modern attackers have moved on from widespread mass-mailed indiscriminate ransomware to a new model that is much more dangerous,” Trend Micro says. “Today, corporations are subject to these new APT-level ransomware attacks. In fact, they can be worse than APTs because ransomware often ends up destroying data, whereas information-stealing APTs are almost never destructive. There is a more pressing need to defend organizations against ransomware attacks, and now, the stakes are much higher.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

iPhone owners will soon be able to track down their iPhone using the Find My app even when it’s switched off or has been wiped. 

Smartphones

The new ‘Find My network’ capabilities should come in handy in numerous scenarios, including when an iPhone has run low on battery power or a thief has turned the phone off. Currently, by enabling Find My network setting – an additional capability beyond Find My iPhone – users can locate an iPhone when it’s offline, as well as AirTags, but not when the iPhone is powered off.   9to5Mac has posted an image of the notification that tells users that the iPhone remains findable after power off or in power reserve mode.  SEE: Top 10 iPad tips (free PDF) (TechRepublic)”Find My helps you locate this iPhone when it is lost or stolen, even it is in power reserve mode or when powered off,” the dialog states. The functionality can be changed in “Find My network” in Find My within Settings.  Apple has detailed some of these capabilities in iOS 15 preview notes and a press release, but hasn’t explained how it works. There’s also some extra protection for situations when a thief has stolen an iPhone and sold it to someone else. This relies on the Find My feature Activation Lock, which is turned on when a user turns on Find My.  

“To help ensure that nobody is tricked into purchasing your device, the Hello screen will clearly show that your device is locked, locatable, and still yours,” Apple explains. Apple is also introducing separation alerts, which delivers an alert to the owner’s iPhone when an AirTag or compatible product is left behind. Find My provides directions to the item. SEE: 5G smartphones have arrived. But for many, the reason to upgrade is still missingThe Find My network will also give users an approximate location of missing AirPods Pro and AirPods Max. It aims to get the user within Bluetooth range so they can play a sound to find the earphones or headphones.  Apple announced dozens of new features for iOS 15 at WWDC, including Zoom-inspired features for FaceTime, a new SharePlay on FaceTime feature for sharing music and TV content with others on a call, and Live Text to capture and copy text from a photo.

Apple WWDC 2021 More