Information Technology

The Western Australian government has announced it will invest AU$25.5 million to expand the state’s cybersecurity services.The funding, delivered under the state government’s AU$500 million Digital Capability Fund, will put be towards ensuring the state’s cyber capabilities can facilitate secure data exchanges between agencies, and prevent, detect, and responds to cyber threats.Specifically, this will include beefing up the Office of Digital Government’s cybersecurity unit with additional headcount to make it the state’s “largest dedicated cybersecurity team” and establishing a new dedicated home for the state’s new cyber security operations centre.”Cyber threats continue to evolve, and so by investing in our world-class Cyber Security Operations Centre, Western Australians can be assured important Government services they access will continue to be safe and their information will remain secure,” Minister of Innovation and ICT Stephen Dawson said. The announcement comes on the same day Prime Minister Scott Morrison warned organisations to prioritise trust over costs and efficiency when it comes to data security, pointing to the recent cyber attacks in Ukraine as lessons for organisations to learn from.”I tell you particularly in a more troubled world, especially from a data security point of view, supply chains are frankly more about trust now than they even are about efficiency or cost,” said Morrison, during the official opening of Macquarie Telecom’s new AU$85 million hyperscale data centre in Sydney.Earlier this week, the federal government launched an AU$89 million cybercrime centre that is specifically focused on preventing cybercriminals from scamming, stealing, and defrauding Australians.Related Coverage More

Australian Prime Minister Scott Morrison officially opening Macquarie Telecom’s IC3 data centre in Macquarie Park.
Image: Campbell Kwan
Australian Prime Minister Scott Morrison has warned organisations to prioritise trust over costs and efficiency when it comes to data security, pointing to the recent cyber attacks in Ukraine as lessons for organisations to learn from. “I tell you particularly in a more troubled world, especially from a data security point of view, supply chains are frankly more about trust now than they even are about efficiency or cost,” said Morrison, who officially opened Macquarie Telecom’s new AU$85 million hyperscale data centre in Sydney. “We see that in the most terrible events, whether it’s in Ukraine or the stresses that are being placed on our own country here in the Indo-Pacific, when it comes to your data security you’ve got to be dealing with someone you trust and so words like sovereign really mean something — secure, really mean something.” In providing this warning, the prime minister said organisations need to prioritise developing data security skills and building secure critical infrastructure, pointing to Macquarie Telecom’s new data centre as an example. “I think that’s one of the great virtues of where we are today and one of the reasons why investments like this are made in Australia because of the amazing people that we’re training and bringing into our companies and our organisations. This is enabling infrastructure such as this to be built for it,” he said. Macquarie Telecom’s new 10MW data centre, called Intellicentre 3 East (IC3 East), has a federal government-level SCEC Zone 3 or higher security standard and is staffed by government-cleared engineers at all times. According to the company, the data centre has a security ops centre that will be used to support government agencies when they encounter cyber threats, Macquarie Government director Aidan Tudehope said. “The world has changed quite dramatically in recent years and particularly in recent months. This has had a direct impact on the level of cybercriminal activity which is landing on Australian shores,” he said. Macquarie Telecom said the security ops centre contains a dashboard that provides information on where cyber attacks are coming from, what cybercriminals or foreign actors are targeting, and identifying patterns of cyber threats. The IC3 East opening follows the government earlier this week launching an AU$89 million cybercrime centre that is specifically focused on preventing cybercriminals from scamming, stealing, and defrauding Australians. Related Coverage More

Four Russian nationals who worked for the Russian government were charged with two sets of US indictments last year for their alleged role in hacks performed by the DragonFly and Triton groups, which both targeted critical infrastructure around the world. The indictments were only unsealed on Friday, however, with the US Department of Justice (DOJ) saying the hacking campaigns conducted by the charged individuals targeted hundreds of companies and organisations across 135 countries. “We face no greater cyber threat than actors seeking to compromise critical infrastructure, offences which could harm those working at affected plants as well as the citizens who depend on them,” District of Columbia attorney Matthew Graves said. One of the indictments accuses three Russian individuals of being part of the DragonFly group, also known as Energetic Bear and Crouching Yeti, which conducted a two-phased campaign targeting and compromising the computers of hundreds of entities related to the energy sector worldwide. Two websites operated by the San Francisco International Airport were also allegedly hacked by the group in 2020.Access to such systems provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing, the DOJ said. In the first phase of this cyberespionage operation, which took place between 2012 and 2014, the conspirators allegedly engaged in a supply chain attack, compromising the computer networks of Supervisory Control and Data Acquisition (SCADA) system manufacturers and software providers and then hiding malware — known publicly as “Havex” — inside legitimate software updates for such systems. After unsuspecting customers downloaded Havex-infected updates, the conspirators allegedly deployed spear-phishing emails and watering hole attacks, allowing them to install malware on over 17,000 devices, including SCADA controllers used by power and energy companies. After pausing activities for two years, the group then resumed operations, under the moniker of Dragonfly 2.0, to deploy spear-phishing emails, watering hole attacks, and a range of malware in an effort to infect energy companies once again. Over two dozen energy companies and utility providers in the US and Europe were attacked as part of this second phase of cyber espionage activity. The three Russian nationals have been charged with conspiracy to cause damage to the property of an energy facility, committing computer fraud and abuse, conspiracy to commit wire fraud, and aggravated identity theft. Two of the three charged individuals could face up to 47 years in prison. The second indictment alleges another Russian national was part of the Triton hacker group, helping the group cause two separate emergency shutdowns at a Schneider Electric facility based in the Middle East. That individual subsequently made an unsuccessful attempt to hack the computers of a US company that managed similar critical infrastructure entities in the United States, the indictment alleges. The Russian national charged in the second indictment faces one count each of conspiracy to cause damage to an energy facility, attempt to cause damage to an energy facility, and conspiracy to commit computer fraud. If convicted, the alleged Triton hacker could face up to 45 years in prison. The unsealing of these indictments follows US President Joe Biden earlier this week calling for local organisations to bolster their cyber defence efforts as Russia is considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine. “My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks,” Biden said. Related Coverage More

It takes just five minutes for one of the most prolific forms of ransomware to encrypt 100,000 files, demonstrating how quickly ransomware can become a major cybersecurity crisis for the victim of an attack. Researchers at Splunk tested how quickly ten major ransomware strains encrypted networks – and some were much more effective than others at doing the job quickly, something which makes the attackers harder to stop.  The fastest form of ransomware is LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In one of the tests, it only took LockBit 4 minutes and 9 seconds to encrypt the files measuring in at 53.83 GB across different Windows operating systems and hardware specifications. 

LockBit has been one of the most prolific forms of ransomware during the early months of 2022 and the cyber criminals behind it have boasted that it’s the fastest form of ransomware. The analysis by researchers appears to show that the cyber criminals’ boast is unfortunately accurate.Ransomware is one of the most significant cybersecurity issues facing organisations today as hackers break into networks before encrypting files and servers and demanding a ransom payment for the decryption key. These ransom demands can be millions of dollars and many come with an extra level of extortion, with threats to publish the stolen data if the ransom isn’t paid. Of the ransomware variants tested, the average median time to encrypt the sample files was 42 minutes and 52 seconds.  While LockBit was the fastest to encrypt the files, Babuk ransomware isn’t far behind, taking a median time of 6 minutes and 34 seconds to encrypt the data. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   Avaddon ransomware took a median time of 13 minutes and 15 seconds, followed by Ryuk at 14 minutes and 30 seconds then REvil – one of last year’s most prolific ransomware groups – encrypting the data in median time of 24 minutes and 16 seconds.  BlackMatter ransomware took 43 minutes and 3 seconds to encrypt files, Darkside – famous for the Colonial Pipeline ransomware attack took 44 minutes 52 seconds and Conti – known for a string of high-profile incidents – took a median time of 59 minutes and 34 seconds to encrypt the 54GB of test files. Maze and PYSA ransomware are the slowest at encrypting files, taking 1 hour and 54 minutes each to do so. While the slowest encryption takes almost two hours longer than the quickest, it still isn’t a significant length of time – and it could easily go unnoticed until it’s too late if the cyber criminals triggered the ransomware attack outside of working hours, such as overnight or at a weekend. In any case, it’s difficult to prevent a ransomware attack once the encryption progress has already been started – that means the best form of defence against ransomware is securing the network against it in the first place. Two of the most common techniques cyber criminals use to compromise networks as a gateway to ransomware attacks are exploiting weak or compromised passwords for remote desktop protocols and taking advantage of unpatched vulnerabilities in software. It’s therefore vital that users are encouraged to use strong passwords on their accounts in order to prevent compromise – and that should be accompanied by multi-factor authentication as an additional barrier against attacks. Information security and IT departments should be aware of what and who is on their network so that they can patch any vulnerabilities that emerge – and identify potentially suspicious activity before a full-scale attack is launched. MORE ON CYBERSECURITY More

Cyber criminals are trying to exploit this year’s tax season by sending out phishing emails claiming to be from the IRS but which are actually designed to infect victims’ PCs with malware or trick users into handing over personal data including bank details, usernames, passwords and other sensitive information. Detailed by cybersecurity researchers at Fortinet, the scams aren’t particularly sophisticated but are being sent out in bulk at a time when people are aware of tax deadlines – and even if just a fraction of those receiving the phishing emails get duped, hackers can steal a lot of data.  

ZDNet Recommends

One of the phishing campaigns is based around an email that purports to be from the U.S. Internal Revenue Service (IRS) and is designed to infect the victim with Emotet malware, a powerful trojan used to steal passwords that also creates a backdoor onto the infected computer. SEE: How to keep your bank details and finances more secure onlineClaiming to be from ‘IRS Online’, the email with the subject of ‘Incorrect Form Selection’ asks victims to open an attachment called “W-9 form.zip” – also providing the target with a plain text password needed to open the file. The lure is designed to look like Form W-9, which is a Request for Taxpayer Identification Number and Certification from the IRS. If the user opens the Zip file, they’re asked to enable macros – a common tactic used by cyber criminals to help deliver malware. After macros are enabled, the malicious document then retrieves and downloads the Emotet malware, which the attackers can use to steal usernames and passwords on the compromised Windows machine.  Emotet is also a popular backdoor for delivering other forms of malware to infected systems, including ransomware. Another tax season-themed phishing scam uses slightly different tactics but has the same goal of tricking people into giving away sensitive information. This phishing email, with the subject line “NEW YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE”, contains a PDF document titled “W8-ENFORM.PDF”.  While the PDF itself isn’t malicious – in that it doesn’t deliver malware – the scam asks the user to fill out the document and return it. Information it asks for includes name, address, tax number, email address, passport number and mother’s maiden name, as well their bank account information. All of this sensitive information can be used to compromise the victim’s online accounts, as well as their bank account. The information can also be used to commit fraud in the name of the victim. Researchers note that the IRS never asks for information from taxpayers via email and instead uses the postal service to send letters. However, social-engineering tactics and the fact that these emails are being sent during tax season means that it’s possible that users might forget this fact, particularly if an email claiming to be from the IRS says they’ve made a mistake, owe money or are due a tax rebate. The FBI has also issued warnings about tax scams, relating to a rise in complaints around unearned payments and 1099 Forms. The IRS 1099 Form is a collection of tax forms documenting different types of payments made by an individual or a business that usually is not the person’s employer. The FBI Internet Crime Complaint Center (IC3) says it has received complaints about being asked to provide information about taxable income, which the people receiving the requests have said they didn’t earn. According to the FBI, in this case it seems that their personal identifiable information (PII) has been used to open accounts with e-commerce providers. If they’re sent a 1099 form due to fraud, taxpayers are urged to report it to the IRS and to monitor their credit reports for suspicious activity and to file a police report.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedThese scams sent during tax season may seem simple, but the reason they’re being sent out is because they’re effective and there are people who are being tricked into believing phishing emails really do come from the IRS.  “Out of thousands of recipients, it only takes a few to respond to make it all worthwhile to an attacker. And when the right person falls prey it can unleash a trove of information to the attacker that can be exploited for various purposes. Although such scams are well known and publicized, they are still pervasive for one simple fact – they work and will continue to work for the foreseeable future,” researchers said in a blog post.To avoid falling victim to tax-themed phishing scams, it’s important to remember that the IRS never sends email correspondence without prior consent.  Users should also be very wary about enabling macros – when they’re turned off by default, it’s for a good reason. Users can also report suspected phishing scams directly to the IRS.  MORE ON CYBERSECURITY More

Vidar malware has been detected in a new phishing campaign that abuses Microsoft HTML help files. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On Thursday, Trustwave cybersecurity researcher Diana Lopera said the spyware is being concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in email spam campaigns.  Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data, online service and cryptocurrency account credentials, and credit card information. While often deployed through spam and phishing campaigns, researchers have also spotted the C++ malware being distributed through the pay-per-install PrivateLoader dropper, and the Fallout exploit kit.  According to Trustwave, the email campaign distributing Vidar is far from sophisticated. The email contains a generic subject line and an attachment, “request.doc,” which is actually a .iso disk image.
Trustwave
The .iso contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable (app.exe).  The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format may hold text, images, tables, and links — when used legitimately. However, when attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.  When a malicious CHM file is unpacked, a JavaScript snippet will silently run app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload.  The Vidar samples obtained by the team connect to their command-and-control (C2) server via Mastodon, a multi-platform open source social networking system. Specific profiles are searched, and C2 addresses are grabbed from user profile bio sections.  This allows the malware to set up its configuration and get to work harvesting user data. In addition, Vidar was observed downloading and executing further malware payloads.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have exposed a Mustang Panda campaign that is taking advantage of the Russia-Ukraine conflict to spread new malware.On March 23, researchers from ESET said that Mustang Panda, a Chinese cyberespionage group also tracked as TA416, RedDelta, and Bronze President has been spreading a new Korplug/PlugX Remote Access Trojan (RAT) variant. 

Ukraine Crisis

Korplug is a RAT previously used in attacks against the Afghanistan and Tajikistan militaries, targets across Asia, and high-value organizations in Russia. Researchers say that Chinese threat actors have used variants of the Trojan since at least 2012. The new variant, however, has remained under the radar until now. ESET has named the new sample Hodur. The new version has some similarities to Thor, a variant of the malware detected by Palo Alto Networks in 2021 deployed during the Microsoft Exchange Server debacle.Hodur is being spread through a phishing campaign leveraging topics of interest in Europe, including Russia’s current invasion of Ukraine. The attack wave is still ongoing but has taken different forms since August 2021, depending on current events. By adapting its phishing methods to include current hot topics, conflicts, and news items, Mustang Panda has managed to successfully infiltrate research organizations, internet service providers (ISPs), and systems belonging to European diplomatic initiatives across countries including Mongolia, Vietnam, Myanmar, Greece, Russia, South Africa, and Cyprus.While ESET is not sure of the campaign’s source, phishing and watering hole attacks are likely as the means for initial access. Custom downloaders for Hodur have been found in several decoy documents with names including:Situation at the EU borders with Ukraine.exeCOVID-19 travel restrictions EU reviews list of third countries.exeState_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.exeREGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exeThe decoys were also packaged up with .doc and .PDF extensions. If an intended victim opens the decoy document and executes the package, a malicious .DLL file, an encrypted Korplug file, and an executable vulnerable to DLL search-order hijacking land on the target machine. The .exe file loads the .DLL, and then the RAT is decrypted and unpacked. The Korplug RAT variant will then establish a backdoor, connect to its command-and-control (C2) server, and perform reconnaissance on the infected system. In other security news this week, Google has removed a popular Android app from the Play Store after Pradeo warned that the application contained a Trojan able to harvest Facebook account credentials.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Business email compromise (BEC) remains the biggest source of financial losses, which totaled $2.4 billion in 2021, up from an estimated $1.8 billion in 2020, according to the Federal Bureau of Investigation’s (FBI) Internet Crime Center (IC3). The FBI says in its 2021 annual report that Americans last year lost $6.9 billion to scammers and cyber criminals through ransomware, BEC, and cryptocurrency theft related to financial and romance scams. In 2020, that figure stood at $4.2 billion. 

ZDNet Recommends

Last year, FBI’s Internet Crime Complaint Center (IC3) received 847,376 complaints about cybercrime losses, up 7% from 791,790 complaints in 2020. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysBEC has been the largest source of fraud for several years despite ransomware attacks grabbing most headlines. “In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion,” said Paul Abbate, deputy director of the FBI, in an introduction to the report.”In 2021, heightened attention was brought to the urgent need for more cyber incident reporting to the federal government.”IC3’s statistics in its annual reports are based on information the public submits to its website www.ic3.gov. Since 2017, the IC3 has received 2.76 million complaints that indicate US consumers and businesses have lost $18.7 billion. BEC scams have evolved with technology, such as AI-created audio and video deep fakes, as the pandemic forced businesses to move to online video meetings via Zoom or Microsoft Teams. Originally, BEC scams relied on spoofing or hacking a business email account of a senior officer and then instructing a subordinate to wire funds to the scammer’s bank account. The emails often targeted real estate companies. “Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult,” the FBI noted. In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a ‘deep fake’ audio, though which fraudsters, acting as business executives, would then claim their audio/video was not working properly. The fraudster then uses video to instruct employees to complete a wire transfer or use an executive’s compromised email to deliver wiring instructions.Cryptocurrency laundering was a huge business last year. Blockchain analysis firm Chainalysis reported that cyber criminals washed about $8.6 billion worth of cryptocurrency in 2021. North Korean hackers stole around $400 million in cryptocurrency last year, and used cryptocurrency mixer or ‘tumbler’ software that splits funds into small sums and blends it with other transactions before sending the amounts to a new address. IC3 received 3,729 complaints about ransomware attacks that amounted to adjusted losses of more than $49.2 million. The FBI noted that ransomware groups use phishing emails, stolen remote desktop protocol (RDP) credentials, and software flaws to infect victims with ransomware. In February, IC3 reported an uptick in “high-impact” ransomware attacks during 2021 based on data from the FBI, National Security Agency, and cybersecurity agencies from the UK and Australia. The other major trends are ransomware-as-a-service, where the attackers provide ransom negotiation services, and the rise of access brokers, who supply compromised accounts to ransomware gangs.  SEE: What is cloud computing? Everything you need to know about the cloud explainedThe notorious Conti ransomware gang got a special mention in IC3’s report. IC3 only started tracking ransomware targeting US critical infrastructure operators in June, covering attacks on US operators of water and waste water systems, food and agriculture, healthcare and emergency medical services, law enforcement, 911 dispatch centers, and firms in chemical, energy, finance and tech sectors.       The IC3 received 51 reports about REvil ransomware attacks, 58 reports about Lockbit 2.0, and 87 reports about Conti attacks.     “Of all critical infrastructure sectors reportedly victims by ransomware in 2021, the healthcare and public health, financial services, and information technology sectors were the most frequent victims,” IC3 said, suggesting it anticipates an increase in critical infrastructure victimization in 2022, but that it doesn’t encourage paying a ransom to criminals. The US is reorganizing how critical infrastructure operators report significant hacks. Newly passed legislation requires operators to report these hacks and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) versus the FBI. CISA has committed to immediately share reports it receives with the FBI. More