Information Technology

These contribution opportunities were suggested by the companies we profiled in the companion piece, “Ukrainian software developers: Email and photos from the war zone.” Humanitarian Support NBU Fundraising Account: According to their website, “This account is meant for charity contributions from Ukraine and from abroad. The Ministry of Social Policy will channel the raised funds to support Ukraine’s citizens severely affected by the war.”

Donate goods and food to Ukranians: If you live near any of the cities listed at this link, you can bring goods and food to be delivered to Ukranians in need by Nova Poshta Global. Help host evacuating Ukranians: UkraineNow works to find relocation destinations for evacuees. Save the Children: Save the Children is operating an emergency fund for displaced Ukrainian evacuees. Razom Emergency Fund: Razom unites various Ukrainian activists. Razom Emergency Response is providing critical humanitarian war relief and recovery according to the most urgent needs as they evolve. Nova Ukraine: Nova Ukraine is a nonprofit organization dedicated to providing humanitarian aid to the people of Ukraine. MacPaw Development Fund: The MacPaw Development Fund has been sourcing medical supplies and distributing them to hospitals, financing the production of protective gear for the Ukrainian Army and territorial defense units, supplying the military with cell phones and computers, and printing maps for patrols in Kyiv. World Central Kitchen: WCK arrived in Poland on Feb. 24th to help refugees arriving from Ukraine. In response to the February 24 attacks on Ukraine, the WCK team is serving hot, nourishing meals at a 24-hour pedestrian border crossing in Southern Poland. The Salvation Army: The nonprofit’s “Love Beyond Conflict” campaign is asking donors to support families fleeing crisis in Ukraine to help provide peace and safety.Team Rubicon: Serves communities by mobilizing veterans to continue their service, leveraging their skills and experience to help people prepare, respond, and recover from humanitarian crises. The nonprofit is pre-positioning its mobile Emergency Medical Team in Poland to assist the mass crowds of refugees crossing the border every day. Community Organized Relief Effort (CORE): A crisis response organization that brings immediate aid and recovery to underserved communities across the globe. In immediate response to the crisis in Ukraine, the CORE team is on the ground in Poland supporting the immediate needs of refugees. CORE’s initial efforts are focused on distributing hygiene kits and supplying refugees with cash assistance to help families get access to life-saving items such as food, water, and safe transit to shelter. The Tunnel to Towers Foundation: Honors the sacrifice of firefighter Stephen Siller who laid down his life to save others on September 11, 2001, as well as our military and first responders who continue to make the supreme sacrifice for our country. On March 10, the nonprofit committed $1 million to the children of Ukraine in an effort to help them find safety amid the conflict in their country. Additionally, T2T is collecting additional donations to amplify their impact and provide relief.Unclutter’s Help Ukraine Fund: Unclutter has a neat approach. If you donate, they’ll give you a free copy of Unclutter (note: I use this every day) and the funds you donate will go to local volunteers and charitable organizations. Support animals Help rescue, feed, and relocate animals: UAnimals helps shelters financially, provides them with food, and tries to evacuate animals to other countries. Journalism support Donate to support journalists on the ground: Donations to the 24.02 Fund provide bulletproof vests, helmets, fuel, sat phones, diesel generators, walkie talkies, and relocation help for journalists’ families. Activism Join a peace protest: This Google table lists upcoming peace protests and additional information about each protest’s organizers. Defense Support Donations to the Ukranian Army: This is a direct donation link to an account that disburses funds to the Ukrainian Army. Donations to Ukraine’s military via National Bank of Ukraine: This is another direct donation link that disburses “to support the Armed Forces of Ukraine.” Come Back Alive: This fund supports the Ukrainian Armed Forces with, according to the fund, “financing purely defense initiatives. Since 2014 we have provided around 1000 thermal imagers and over 250 UAVs. In addition to the material support, we increased the technological capabilities of the Army through providing 1,500 tablets with Armor software aimed at stopping the artillery.” Support Ukrainian defenders: The KOLO fund, a charity fund created by IT specialists from Ukraine, provides soldiers and volunteers with helmets and body armor, satellite phones and tactical radio equipment, quadcopters and drones, and thermal imagers and sights. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Cyber criminals are posing as recruiters and employers to offer people fake jobs in a scheme designed to steal money, personal data and trick victims into helping them commit money laundering. Detailed by cybersecurity researchers at Proofpoint, the job fraud campaigns attempt to lure people in with the promise of upfront payments for simple jobs that can be done while working from home. 

ZDNet Recommends

Nearly 4,000 of these email threats are being sent every day – most are sent to people in the United States, but Europeans and Australians have also been targeted. SEE: A winning strategy for cybersecurity (ZDNet special report) In over 95% of cases, the attackers are aiming at email accounts linked to universities and colleges, targeting students who are likely to be open to flexible and remote work opportunities.Remote work has risen because of the COVID-19 pandemic, something that could make the approaches look less suspicious to victims. Some of the fraudulent emails even reference COVID-19 as a reason for the fake jobs being remote. While the lure of making easy money from remote work sounds tempting, the attacks are designed to fleece victims – according to the FBI, the average loss for victims of employment fraud actions is around $3,000. “These types of threats can cause people to lose their life savings or be tricked into participating in a criminal operation unknowingly. They are very concerning for universities especially,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. Those behind the attacks use several different templates, often using the real branding and logos of the companies they’re claiming to come from. The attackers are also known to use spoofed or compromised email addresses of recruiters in order to send initial emails. One of the scams purports to be from the United Nations Children’s Fund (UNICEF) for an executive personal assistant role, claiming to offer $400 for eight hours a week of work. The email contains link to a Google form, asking for a name, alternative email address, and phone number. If the victim enters their details, they receive another email with more information about the supposed job, and if the offer is accepted, the attackers send a fake cashier’s check, initially for $950, then rising to $1,950 – this is designed to look like the victim will be paid, when that isn’t the case. Instead the attackers ask the victim how much they have in their bank account, so money can supposedly be used to send toys to children in orphanages – researchers were asked to transfer $1,000. The attackers asked for the transfer to be made – something that leaves the victim out of pocket because the fake cashier’s check that supposedly covers the cost can’t be cashed. Another of the phony jobs takes a different route, sending emails in which the attackers are claiming to be recruiting college students for an alleged modelling job – which doesn’t really exist. The email claims that the victim will be paid over $2,750 up front, and any expenses related to the shoot will be reimbursed.  SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened  The attacker emails a fake check and, in some instances, it is even sent to the victim’s home – but because it’s fake, it can’t be cashed. In this case, the fraud is based around sending money to cover “shipping costs” for items to be used in the shoot – items that are never ordered for a shoot that won’t happen, ultimately resulting in money being stolen from the victim. Not only can these fake jobs leave people out of pocket, they could also potentially be unwittingly helping to facilitate cybercrime, as it’s likely some of these cash transfers are part of fraud related to other schemes. In aiming at students, the attackers are potentially exploiting naivety about online threats and the world of work – for example, a legitimate employer is very unlikely to send a paycheck before an employee’s first day of work and nor will they ask employees to buy items before they start the job. In order to avoid falling victim to these scams, it’s recommended that caution is exercised when receiving an unexpected job offer, especially if it comes from a freemail account like Gmail or Hotmail, but claims to be coming from a legitimate organisation. People should also be wary about nonexistent or overly simple interview questions and a lack of information about the job itself, or requests to switch to a personal email address or private chat account to discuss the opportunity. It’s also worth remembering that if an opportunity seems too good to be true, then it probably is.MORE ON CYBERSECURITY  More

Sitel has published an update concerning a recent security incident involving the Lapsus$ hacking group and Okta.  Following the circulation of screenshots by the Lapsus$ group on March 22, which appeared to show unauthorized access to Okta accounts and potentially privileged information, Okta launched an investigation. Sitel, an Okta subprocessor, was named as the third-party responsible for the security breach. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Okta says that Lapsus$ may have impacted up to 366 customers in January 2022. Over five days, Lapsus$ had access to an Okta.com Superuser/Admin account reportedly owned by a Sitel customer support engineer. Okta has since said the company “made a mistake” by not informing customers sooner. “Sitel is our service provider for which we are ultimately responsible,” the company commented. “In January, we did not know the extent of the Sitel issue — only that we detected and prevented an account takeover attempt and that Sitel had retained a third-party forensic firm to investigate.” On March 29, Sitel published a statement on the cyberattack, having said little more previously that an investigation was ongoing. Sitel says it is “cooperating with law enforcement on this ongoing investigation and are unable to comment publicly on some of the details of the incident.” However, the company has said that the incident was related to the “legacy Sykes network only.”Documents obtained by cybersecurity researcher Bill Demirkapi and viewed by TechCrunch, including a Mandiant forensics report, suggest that attackers were able to access a spreadsheet containing passwords for domain administrator accounts. Sitel claims the document “listed account names from legacy Sykes but did not contain any passwords” but did not provide any further details. “The Sitel Group Security team believes there is no longer a security risk regarding this incident,” Sitel added. “Even after the completion of the initial investigation, Sitel Group continues to work in partnership with our cybersecurity partner to assess potential security risks to both the Sitel Group infrastructure and to the brands Sitel Group supports around the globe.” After taking a “vacation,” Lapsus$ has begun publishing new content on the hacking group’s Telegram chat.  On March 30, Lapsus$ claimed to have compromised Globant, a software development firm headquartered in Buenos Aires, Argentina. The threat actors allege that they have managed to steal client source code and have published a 70GB torrent file.  ZDNet has reached out to Globant, and we will update when we hear back.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The vast majority of cybersecurity professionals think that the business they work for is a target for nation-state hackers, but only a small fraction think that their organisation can confidently identify if attacks are actually being carried out by hostile states.According to analysis by cybersecurity company Trellix, half of all organisations think they’ve been the target of a nation-state cyberattack within the past 18 months, while a further 42% think they’ll be subject to one in the future. Fewer than one in 10 businesses believe that they’re not a target for nation-state hackers at all. 

For organisations that have been targeted by nation-state-backed hackers, the most likely suspects identified by cybersecurity staff are Russia and China, along with cyber -criminal mercenaries suspected of working on behalf of governments.  SEE: A winning strategy for cybersecurity (ZDNet special report) North Korea, Iran and western governments are among those that are also suspected of being behind attacks, while some cybersecurity staff concede that it’s just too difficult to tell who is behind campaigns. When asked how confident they were that, without help, their organisation could tell the difference between cyberattacks carried out by a nation states and cyberattacks carried out by cyber criminals, just a quarter said that they have complete confidence that this would be the case. This lack of awareness could lead to issues down the line, as nation-state-backed hacking operations are often designed to create long-term persistence on networks, meaning that if an intrusion isn’t correctly identified as being the work of hostile government-backed cyber attackers, even if an attempt is made to clean it up, not knowing that it’s a well-resourced nation-state-backed attack could lead to backdoors and other remnants of the attack being missed – and exploited later on. “Nation-state cyber incidents are more sophisticated and persistent than an average cyber crime incident. Successfully detecting and responding to these types of attacks requires a deeper understanding of the adversaries’ methods and their intended goal,” John Fokker, principal engineer and head of cyber investigations at Trellix, told ZDNet. “Many organisations struggle with successfully detecting backdoors left behind after a state-backed cyber incident,” he added. Even organisations that aren’t confident in their ability to identify nation-state-backed cyberattacks say it’s important to be able to do so, although many are limited by cybersecurity strategy or a lack of resources. The vast majority – 90% – of those surveyed said that their own government needs to do more to help to help them protect themselves against hostile, foreign observatories. “Governments can provide organisations who have been targeted with vital intelligence to better assess the origin and objective behind a state-backed cyber incident,” said Fokker. Defending against cyberattacks, particularly those by enemies with significant resources behind them, is a challenge, but there are steps that can be taken to improve the odds. This includes cyber-hygiene measures, like applying critical security patches, and requiring the use of multi-factor authentication to help keep attackers out of the network. It’s also vital for cybersecurity staff to fully understand the network they’re defending, so they can identify all the assets that need protection and to take action against any potentially suspicious activity. MORE ON CYBERSECURITY More

A new strain of Python ransomware is targeting environments using Jupyter Notebook. 

Jupyter Notebook is an open source web environment for data visualization. The modular software is used to model data in data science, computing, and machine learning. The project supports over 40 programming languages and is used by companies including Microsoft, IBM, and Google, alongside numerous universities. Aqua Security’s Team Nautilus recently discovered malware that has honed in on this popular data tool.  While Jupyter Notebook allows users to share their content with trusted contacts, access to the app is secured through account credentials or tokens. However, in the same way, that businesses sometimes do not secure their AWS buckets, leaving them open for anyone to view, Notebook misconfigurations have also been found.  The Python ransomware targets those that have accidentally left their environments vulnerable. The researchers set up a honeypot containing an exposed Jupyter notebook application to observe the malware’s behavior. The ransomware operator accessed the server, opened a terminal, downloaded a set of malicious tools — including encryptors — and then manually generated a Python script that executed ransomware.  While the assault stopped without finishing the job, Team Nautilus was able to grab enough data to simulate the rest of the attack in a lab environment. The encryptor would copy and then encrypt files, delete any unencrypted content, and delete itself. 
Aqua Security
It should be noted that no ransom note was included as part of the package, which the team suspects indicate one of two things: either the attacker was experimenting with their creation on the honeypot, or the honeypot timed out before the ransomware attack was completed. While attribution isn’t concrete, the cybersecurity researchers say they might be “familiar” with the miscreant due to their trademark checks before an attack begins. Clues indicate the individual could be from Russia, and if it is the same attacker, they have been linked to cryptojacking attacks on Jupyter environments in the past.  A Shodan search reveals several hundred internet-facing Jupyter Notebook environments are open and accessible (although some may also be honeypots.) “The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack,” the researchers said. “Since Jupyter notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren’t properly backed up.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Change the default user name and password settings on your internet-connected uninterruptible power supply (UPS) units, the US government has warned.  UPS units are meant to provide power backup to keep devices, appliances and applications connected to the internet by supplying off-grid power to places like a data center during a power outage. But hackers have been targeting internet-connected UPS units to disrupt the backup power supply. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) said they “are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices.” SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysHow? Just like many Internet of Things (IoT) devices, such as routers and smart-lighting systems, they are gaining access “often through unchanged default usernames and passwords.” The risk of not changing the default credentials in IoT devices and appliances isn’t new. It’s also a problem that reminds admins of the importance of network-hardening guidance.    UPS devices are a critical backup power supply because of the costs of downtime when core business applications and staff devices can’t connect to the internet. In healthcare, lives might depend on a UPS in an outage because of powered medical devices.As CISA notes, UPSs can protect small loads, such as a few servers, large loads, like an entire building, or massive loads, including a data center. One complication in an organization is the question of exactly who should manage UPS devices, which only becomes necessary during a power outage. “Various different groups within an organization could have responsibility for UPSs, including but not limited to IT, building operations, industrial maintenance, or even third-party contract monitoring service vendors,” CISA notes in an insights alert. CISA doesn’t cite examples of recent attacks or attribute these threats to specific actors. However, in this case, it seems more important to emphasize remediation steps. As CISA notes, it’s rare that a UPS’s management interface needs to be accessible from the internet. So, its bolded advice is: “Immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet.” It also recommends viewing its, and the NSA’s, warning that state-sponsored attackers have targeted internet-accessible operation technology (OT) to breach critical infrastructure, such as water utilities. Again, the agencies warn of the risks of remote access to OT networks and the use of default passwords. If the UPS device’s management interface must be accessible from the internet, CISA advises putting these controls in place: Ensure the device or system is behind a virtual private networkEnforce multi-factor authenticationUse strong, long passwords or passphrases in accordance with National Institute of Standards and Technology guidelines (for a humorous explanation of password strength, see XKCD 936, CISA notes)Check if your UPS’s username/password is still set to the factory default. If it is, update your UPS username/password so that it no longer matches the defaultEnsure that credentials for all UPSs and similar systems adhere to strong password-length requirements and adopt login timeout/lockout features More

Image: Ronin
In a shock to absolutely no one paying attention to the so-called Web3 space, the touted security of blockchain-driven solutions might not be all it is cracked up to be. The latest victim comes by way of Ronin, which detailed that 173,600 in Ethereum (ETH) and 25.5 million in USD coin had departed its clutches across a pair of transactions that occurred a week ago. The Ronin Network said it only found out when a user on Tuesday wanted to withdraw 5,000 ETH but was unable to. “ETH and USDC deposits on Ronin have been drained from the bridge contract. We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now,” the network said. Ronin was announced in mid-2020 by play-to-earn game Axie Infinity created by Vietnamese blockchain game maker Sky Mavis. At the time, the studio touted Ronin as being able to overcome Ethereum network congestion. “To help secure Ronin, we have recruited an all-star cast of partners from the traditional gaming, crypto, and nonfungible token space to serve as validators of our network,” it said at the time. For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO. “The attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the Ronin Network explained. “This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.” In response, the Ronin bridge and Katana Dex exchange were halted, the number of validators increased to eight, and security teams at major crypto exchanges were contacted.Luckily for those seeking to trace the funds, the use of blockchain means the transactions can be traced, in the case of the attackers, appears to be forgoing the step of washing the funds through a coin tumbler, and transferring it directly to FTX exchange. Flora Li of the Huobi exchange research institute said the hack was a result of trying to balance user experience and security.”Axie Infinity exploded in popularity and saw a rapid influx in users on the Ronin blockchain. They took shortcuts to relieve network bottlenecks, cutting down the number of nodes that needed to be validated for transactions to just five of nine nodes, making it easier for hackers to exploit,” Li said.”While Sky Mavis has pledged to raise the number of required nodes to eight, it still doesn’t solve the fundamental problem of how proof-of-stake blockchains can keep transactions fast, user-friendly, and energy-efficient without compromising security.”Earlier this year, Crypto.com said 483 of its users were hit in an attack that saw over $31 million in coins withdrawn. “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the company said at the time. “Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.” Last year, the Poly Network had $600 million in cryptocurrency taken before the attacker began returning the stolen assets. Updated at 3:50pm AEDT, 30 March 2022: Additional comments from Huobi.Related Coverage More

Image: Sam Mooy/Getty Images
South Australian independent Senator Rex Patrick has called on his former boss, and previous occupant of his Senate seat, Nick Xenophon to reveal the details of his contract with Huawei. After leaving the Senate in 2017, Xenophon set up a law firm with former investigative journalist Mark Davis that was appointed as strategic counsel in 2019. The firm also represented Jordan Shanks in a recent high-profile defamation case. Xenophon last week said he was running for the Senate again in the upcoming federal election. On the basis of his return to public life, Patrick said in the Senate on Tuesday night that Xenophon should disclose the terms of his Huawei agreement. “He was entitled, as a private individual, to work for whoever he wished. But the choice he made was akin to someone choosing to do PR work for the German companies Krupp or Messerschmitt in 1938,” Patrick said. “Mr Xenophon now says that he has not worked for Huawei for some time, though we don’t know when he ceased. He now claims to support the Australian government’s 5G ban on Huawei. “As a declared Senate candidate, he should now, in the interests of transparency and accountability, disclose the full details of his contractual relationship with Huawei. He should disclose the terms, conditions and duration of his contract; what instructions he accepted from Huawei; and precisely what services he and Mr Davis were paid for.” Patrick pointed out that Xenophon had previously called for the same from another former Senator, and did not register with the Australian Foreign Influence Transparency Scheme. “In this, he appears to have relied on the exemption for persons providing legal advice to foreign organisations and a claim that he was not directly lobbying government ministers. However, the work that Xenophon Davis did for Huawei appears to have been largely in the public relations field and directed towards influencing the federal government to reopen the door for Huawei to infiltrate Australia’s 5G telecommunications network,” Patrick said. “That is of course one of 14 demands the Chinese government has made before they will reconsider their current hostile stance towards Australia.” The current Senator also raised allegations that Huawei has been involved in helping Chinese authorities oppress Uyghurs, using backdoors in its carrier equipment to assist in state esponiage, and having close ties to the Chinese Communist Party. “In December last year it was revealed, further, that as early as 2012 Australian intelligence detected a sophisticated penetration into our telecommunications system, an intrusion that began with a software update from Huawei that delivered malicious code,” Patrick said. “Mr Xenophon declared that Huawei was an ‘underdog’. I’m not sure how a vast Chinese conglomerate with global networks backed by the Chinese state could ever be described as an underdog, but that was his description. This was all a misjudgement on Mr Xenophon’s part.” Patrick said that critical infrastructure like telecommunication must be completely secure from foreign interference and possible sabotage. “There can’t be any compromise when it comes to Australian national security, nor can there be compromises on human rights,” Patrick said. “Mr Xenophon has declared his political candidacy. In the interests of accountability and transparency, he should make an immediate disclosure of all the details of his work for Huawei. I urge him to do so. Voters can then make their own judgement.” In its yearly results announced earlier this week, Huawei reported a 29% drop in revenue to $100 billion, as profitability lifted 76% to $17.9 billion.Related Coverage More