Information Technology

A crackdown on financial cybercrime across Asia has resulted in $83 million sent by victims to criminals being intercepted. 

Interpol said last week that Operation Haechi-i, running between September 2020 and March 2021, focused on combating investment fraud, romance scams, money laundering linked to illegal online gambling, online sextortion, and voice phishing. In total, $83 million was intercepted over the course of six months before the victims of these scams sent all of the requested funds to cybercriminals.  In one case cited by Interpol, a Korean company became the victim of a business email compromise (BEC) scam after being approached by what the firm thought was a trading partner.  Invoices had been requested and the bank details were covertly changed to bank accounts belonging to the cybercriminals. Approximately $7 million was transferred and then routed to accounts in Indonesia and Hong Kong. Interpol was able to intercept and freeze roughly half of the stolen funds, but the investigation is ongoing.  In a separate incident, a criminal gang in Hong Kong pushed a ‘pump and dump’ stock scheme, purchasing a vast number of shares and taking to social media to push the price up further. The group then coordinated its own sales, collapsing the price for outside investors. Trading accounts were frozen. 

Interpol says that Operation Haechi-i has led to 585 arrests, over 1,600 bank accounts being frozen, and more than 1,400 individual criminal investigations being opened. Out of these cases, 892 have now been solved.  Financial cybercrime, conducted through online platforms and services, is a global issue that requires cross-border collaboration. Operation Haechi-i is an example of this, as it included specialist law enforcement officers in Cambodia, China, Indonesia, South Korea, Laos, the Philippines, Singapore, Thailand, and Vietnam.  Operation Haechi-i is the first operation planned over the next three years by law enforcement in Southeast Asia to tackle financial cybercrime.  “The key factors in intercepting illicit money transfers are speed and international cooperation,” commented Amur Chandra, Brigadier General of the Indonesian National Police and Secretary of Indonesia’s Interpol National Central Bureau. “The faster victims notify law enforcement, the faster we can liaise with Interpol and law enforcement in the relevant countries to recover their funds and put these criminals behind bars.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Securities and Exchange Commission (SEC) has charged five members of BitConnect’s promoter network over their alleged role in the marketing of the scam. 

The regulator claims that the five promoted BitConnect as a “global unregistered digital asset securities offering that raised over $2 billion from retail investors” — many of whom lost their money when BitConnect collapsed in 2018. SEC’s complaint (.PDF), filed in the US District Court for the Southern District of New York, names Trevon Brown (also known as Trevon James), Craig Grant, Ryan Maasen, and Michael “Michael Crypto” Noble, all of which reside in the country.  According to SEC, from roughly January 2017 to January 2018, Brown, Grant, Maasen, and Noble promoted, offered, and sold securities as part of BitConnect’s lending program, which promised clients a return as high as 40% on their investments by trading on the price of Bitcoin (BTC) and capitalizing on its volatility. Funds were sent in BTC and converted to BitConnect’s BCC.  Marketing was conducted through videos on YouTube and testimonial-style content that was published — sometimes several times a day.  In return, SEC says the promoters, among others in the network, earned a commission when “soliciting investor funds.” In total, it is estimated that $2 billion was raised during BitConnect’s lifetime and commission rates ranged from between 0.2% and 5%.  The most active and successful promoters were also allegedly awarded commission through “development funds,” calculated each week as new investors joined the fold. 

“Brown obtained at least $480,000, Grant over $1.3 million, Maasen over $475,000, and Noble over $730,000 as “referral commissions” and “development funds” from promoting and touting investments into BitConnect’s lending program to retail investors,” SEC says.  SEC claims that BitConnect’s offerings were not registered, and the promoters allegedly acted as broker-dealers — while also failing to register, as required by federal securities laws.   Another named individual in the United States, Joshua Jeppesen, has been charged as an alleged liaison between BitConnect and the platform’s promoters, earning himself a reported $2.6 million in the process.  BitConnect closed its doors in 2018, citing bad press, distributed denial-of-service (DDoS) attacks, and regulatory investigations as the core reasons. US regulators sent cease-and-desist letters to the lending platform due to its failure to register, and BitConnect’s operators said these demands “became a hindrance for the legal continuation of the platform.” BCC then crashed, wiping out the value of existing investments, and the platform’s operators were accused of performing an exit scam, taking with them approximately $14.5 million.  Brown, Grant, Maasen, and Noble are being charged with the violation of registration provisions, whereas Jeppesen is being charged with “aiding and abetting BitConnect’s unregistered offer and sale of securities.” SEC is seeking injunctions, civil penalties, and disgorgement with interest.  “We will seek to hold accountable those who illegally profit by capitalizing on the public’s interest in digital assets,” commented Lara Mehraban, Associate Regional Director of SEC’s New York office.  An Australian promoter of BitConnect was arrested last year by the Australian Securities and Investments Commission (ASIC).  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon is getting ready to switch on a new service called Amazon Sidewalk, and if you own an Echo device, or a Ring Floodlight and Spotlight Cam, then the chances are that you are going to start donating part of your internet connection to making this work.  The idea behind Amazon Sidewalk is that without a reliable internet connection, having a device like a webcam doorbell or security doorbell is somewhat pointless. So, to combat this poor connectivity, Amazon is planning to turn select Echo and Ring devices into Sidewalk Bridges and use your internet connection to help others.And starting June 8 (US only for now), Amazon will be turning your devices into Sidewalk Bridges unless you opt-out.Here’s how Amazon describes it:”Amazon Sidewalk helps your devices get connected and stay connected. For example, if your Echo device loses its wifi connection, Sidewalk can simplify reconnecting to your router. For select Ring devices, you can continue to receive motion alerts from your Ring Security Cams and customer support can still troubleshoot problems even if your devices lose their wifi connection. Sidewalk can also extend the working range for your Sidewalk-enabled devices, such as Ring smart lights, pet locators or smart locks, so they can stay connected and continue to work over longer distances. Amazon does not charge any fees to join Sidewalk.”Later this month, Tile tags will be able to connect to Amazon sidewalk, extending their capability and making them more competitive in the face of Apple’s AirTag.Must read: Dumping Google Chrome resulted in one colossal benefit

How much of your bandwidth will Sidewalk use up? According to Amazon, it is restricted to 80Kbps, or as Amazon puts it, about 1/40th of the bandwidth used to stream a typical high definition video, and the total monthly usage is capped at 500MB, which, as Amazon puts it, is equivalent to streaming about 10 minutes of high definition video.But is it secure?Amazon says yes, and has published a privacy and security whitepaper outlining how it has accomplished this. This document concludes with why uses should have this feature enabled:”By sharing a small portion of their home network bandwidth, neighbors give a little—but get a lot in return.”But does trust needs to be earned?Want to say no to Amazon Sidewalk? Here’s how:Fire up your Alexa appTap More and then SettingsTap Account SettingsTap Amazon SidewalkNow you can turn Amazon Sidewalk on or off What do you think about Amazon Sidewalk? Let me know in the comments below. More

Image: Getty Images
The federal government has responded to a report on age verification for online wagering and online pornography, saying it is considering, at least in principle, if the nation’s digital identity system could be extended to help with protecting children from online harms.The House of Representatives Standing Committee on Social Policy and Legal Affairs closed its inquiry into age verification for online wagering and online pornography last year, tabling a report in February 2020.Making a total of six recommendations, the committee asked the Digital Transformation Agency (DTA) to extend its digital identity program to include an age-verification exchange for the purpose of third-party online age verification. This was despite the eSafety Commissioner saying on many occasions there are no “out-of-the-box technology solutions” that would solve this issue and it is her opinion that age verification should not be seen as a panacea.In response [PDF] to the recommendation, the government said it supports it in principle.”Initially, the government’s priority will be to complete work underway that explores the potential for changes to the policy and accreditation framework … depending upon the findings of this work, further technical interventions may be required,” it wrote. “If so, the government agrees that the Digital Transformation Agency is well placed to explore extending the digital identity program.”The DTA, in November 2019, declared its digital identity play would be a valuable tool in verifying an individual’s age before allowing access to online pornographic material.

Must read: Researchers want Australia’s digital ID system thrown out and redesigned from scratchThe committee also recommended the DTA, in consultation with the Australian Cyber Security Centre (ACSC), develop standards for online age verification for age-restricted products and services.It said these standards should specify minimum requirements for privacy, safety, security, data handling, usability, accessibility, and auditing of age-verification providers.The government said it supports this recommendation in principle.”The government is committed to protecting young people while safeguarding the privacy and security of people of all ages in an increasingly digital environment,” it said.Such commitments include work from eSafety on the development of a roadmap for the implementation of a mandatory age verification regime for online pornographic material, as well as work underway by the Department of Social Services which is completing a review of customer verification requirements for online wagering services.”Subject to the findings of the work outlined above, further technical standards-based work may be required which could include requirements for privacy, safety, security, data handling, usability, accessibility, and auditing of age-verification providers,” it said, noting it considers the DTA and the ACSC “well-placed” to provide assistance or advice.In its response to the remaining recommendations, the government pointed to the yet-to-be-passed Online Safety Act, the Australian Competition and Consumer Commission’s work on app marketplace practices, and work from eSafety including its Safety By Design initiative as helping address the concerns raised by the committee.”While there are no simple solutions to any online safety issue, technologies, such as age verification, age assurance, and age prediction, are developing at pace,” the government wrote. “If used in conjunction with filtering and other proactive user safety settings, they can play a role in limiting exposure to harmful content for children.”It said it also recognises that technological solutions alone would not stop all children from accessing online pornography or other age-inappropriate services. “A multifaceted approach that includes parental engagement and education is vital to reduce the adverse effects of online pornography and other harmful content. Online safety requires long-term, sustained social and cultural change, through the coordinated efforts of the global community, and greater collaboration and consultation between industry, government, and the general public,” it said.RELATED COVERAGENow the DTA wants its digital ID used for porn age verificationIt would require for the program to be extended to the private sector.Shorten wants Morrison to pivot social media ‘evil’ remark to fighting online harms to kidsFormer Opposition Leader Bill Shorten has taken the Prime Minister’s ‘evil one’ concerns and turned it into protecting those underage from accessing pornography online.Australia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.Australian government prefers education over prosecution to deter cyberbullyingThe government has responded to a three year-old report on cyberbullying, saying many of the requests the committee made were included in the country’s controversial Online Safety Bill which passed the House only last month. More

Image: Getty Images/iStockphoto
United States-based food processing company JBS USA has confirmed falling victim to a cyber attack, with the aftermath affecting its North American and Australian systems.”On Sunday, May 30, JBS USA determined that it was the target of an organised cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems,” it said in a statement. “The company took immediate action, suspending all affected systems, notifying authorities, and activating the company’s global network of IT professionals and third-party experts to resolve the situation.”JBS said its backup servers were not affected, and that it was actively working with an incident response firm to restore its systems “as soon as possible”.It also said it is currently not aware of any evidence to suggest customer, supplier, or employee data has been compromised or misused as a result of the attack. “Resolution of the incident will take time, which may delay certain transactions with customers and suppliers,” it added.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Over in New Zealand, Waikato District Health Board (DHB) has issued an update to the ransomware attack it suffered two weeks ago.Waikato DHB on May 18 experienced a full outage of its information services. On Monday, the organisation said progress was being made to restore its IT systems and that the focus was to move towards a recovery phase to “progressively stand up services”.It said clinical services across all departments and hospitals ran relatively smoothly over the weekend, but reiterated that emergency departments at all the DHB hospitals in Waikato, Tokoroa, Te Kuiti, Taumarunui, and Thames should be kept for emergencies only.Work on IT systems, Waikato DHB said, is continuing in “priority areas for restoration” across radiation therapy, lab systems, radiology for imaging, result viewer, and IPM, which is the organisation’s patient management system. “There is a recovery process needed before these are functioning services,” it said.”We continue to work with legal experts and the Privacy Commissioner as the investigation is ongoing. A number of individuals were identified last week and the majority have now been contacted.”RELATED COVERAGE                       More

The Brazilian government has passed new legislation introducing tougher measures against fraud and crimes perpetrated in the digital environments.According to the law 14.155 sanctioned last Thursday (27), the Brazilian Penal Code has been altered to add more stringent penalties in relation to device invasion, theft and misconduct in digital media environments, as well as crimes committed with information provided by someone induced to or erroneously through fraudulent emails, social networks, or contacts via telephone.

Crimes that are included in the scope to the new legislation include cloning of messaging apps such as WhatsApp, whereby criminals can, for example, request money from the victim’s contacts, and phishing. Brazil is a world leader in phishing attacks, with one in five Internet users in the country targeted at least once in 2020.The updated law establishes sentences and fines with the length of jail terms increasing if the victim suffers economic damage, for crimes relating to the invasion of electronic devices such as smartphones and computers as the objective of obtaining, tampering with or destroying information without the consent of users, or with the goal of installing software to obtain illicit advantage. Moreover, the updated law also relates to theft through fraud via an electronic device, with or without the violation of security mechanisms in place, or through use of malicious software, or by any other fraudulent means. Under the recently sanctioned legislation, sentences for cybercriminals can range between 1 to 8 years in addition to fines, with penalties increasing if crimes are committed through server infrastructure based outside Brazil, or if the victim is elderly or vulnerable. The introduction of tougher penalties for cybercriminals In Brazil follows legislation passed in March that criminalize stalking online and in physical environments. The penalty for such practices, which can be amplified through social networks, is a jail term that can range between 6 months to 2 years, in addition to a fine. More

Microsoft has galvanised policy makers across seven Asia-Pacific markets, including Singapore and Indonesia, in a bid to facilitate the sharing of threat intelligence and resources amongst their respective public sector. The US software vendor says “collective” efforts across the region are critical in combating cybersecurity threats, which are inevitable in an increasingly interconnected world. It noted that Asia-Pacific saw malware and ransomware attacks at higher frequencies, clocking 1.6 and 1.7 times higher, respectively. than the global average. Citing numbers from its 2019 threat report, Microsoft said developing markets such as Indonesia, India, and Sri Lanka were most vulnerable to such threats that year.  It added that cybercrime not only resulted in financial losses and brought down operations, but also posed risks to national security and eroded trust in digital economies. 

Stressing the need to band together to more effectively combat cybercrime, Microsoft said Monday it launched the Asia-Pacific Public Sector Cyber Security Executive Council to unify policy makers from government and state agencies. The goal here was to establish communications between these organisations and facilitate the sharing of best practices. This, it hoped, would drive the exchange of threat intelligence and technology in a “timely and open manner”, and better position the region in its response to cyber attacks.  It said 15 policy makers from Singapore, Indonesia, South Korea, Malaysia, Thailand, Brunei, and the Philippines had joined the council, which would be supported by Microsoft’s cybersecurity experts. The vendor said members would meet virtually every quarter to establish a “continuous” sharing of information on cyber threats and cybersecurity products. Three of the council’s founding members are from Malaysia, Korea, and Thailand. Microsoft, however, did not say which government agencies or nations the remaining policy makers were from. It said only that members included “government leaders, policymakers, regulators, and industry stakeholders”.ZDNet also posed questions, amongst others, on segments the council would focus on, how it planned to work with other regional efforts such as the Asean Ministerial Conference on Cybersecurity, and whether Microsoft would bring other market players into the council. This article will be updated when responses come in. 

Meanwhile, Microsoft did say the council members would be part of a forum that comprised the vendor’s “ecosystem of cybersecurity industry advisors”. This would give them access to its security certification training, workshops, and hands-on lab sessions. The aim here was to enhance digital and cybersecurity skills in the participating nations, Microsoft said. It noted that with most technology infrastructure owned and operated by private companies, it was critical that governments formed coalitions with technology companies to drive cyberdefense strategies and safeguard the region against attackers.Yun Chang Hee, principle researcher of National Information Society Agency Korea’s AI and future strategy centre, said: “The collective intelligence amongst the Asia-Pacific nations is paramount to jointly share best practices and strategies that will enable us to resolve cybersecurity challenges at a faster pace, and a more proactive manner. “With similar threat landscapes, this partnership will ensure that we are steps ahead of the perpetrators, establishing higher standards for the cybersecurity ecosystem,” Yun said.National Cybersecurity Agency Thailand’s group captain and acting Deputy Secretary General, Amorn Chomchoey, added: “The cybersecurity executive council is an instrumental platform for collaboration between our nations. The stronger relationships we will forge via this council will enable us to anticipate threats as early as possible, prevent them before the effects of cybercrime evolves into another ‘pandemic’ for the cyberworld.” RELATED COVERAGE More

Researchers have uncovered four new malware families designed to target Pulse Secure VPN appliances. 

Pulse Secure’s virtual private network (VPN) and Secure Connect (PSC) solutions are used by corporations worldwide to provide secure access to business systems. However, on April 20, FireEye’s Mandiant cyber forensics team disclosed attacks against defense, government, and financial organizations utilizing vulnerabilities in the software. The major vulnerability at hand is CVE-2021-22893, issued a CVSS severity score of 10, described as an authentication bypass impacting Pulse Connect Secure permitting unauthenticated attackers to perform remote arbitrary code execution (RCE).Other security flaws connected to attacks are CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243, which can be used to establish persistence on a vulnerable appliance and further compromise devices.  Mandiant suspects that Chinese threat actors are exploiting the vulnerabilities, and now, intrusions have been detected at defense, government, technology, transport, and financial entities in the United States and Europe.  According to the researchers, UNC2630 and UNC2717 are the main advanced persistent threat (APT) groups involved in these attacks, and both of which “support key Chinese government priorities.” “Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan,” Mandiant says. “While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.”

In Mandiant’s original report, 12 separate malware families and tools, including the Atrium and Slightpulse webshells, had been found that weaponized Pulse Secure vulnerabilities.  This number has now reached 16 with the discovery of four new malware families linked to UNC2630: Bloodmine: This utility parses PSC log files and extracts information relating to logins, message IDs, and web requests.  Bloodbank: This malware is designed for credential theft and parses files containing password hashes or plaintext credentials.  Cleanpulse: Cleanpulse is a memory patching tool for preventing specific log events. Mandiant discovered this malware in “close proximity” to an Atrium webshell.  Rapidpulse: This is a webshell that exists as a modification to a legitimate Pulse Secure file and is not only capable of arbitrary file read, but can also act as an encrypted file downloader. Mandiant notes that in some cases of intrusion, the Chinese threat actors removed a number of backdoors — but left persistence patchers potentially as a means to regain access in the future — demonstrating an unusual “concern for operational security and a sensitivity to publicity.””Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized,” Mandiant added.  Pulse Secure parent company Ivanti has released patches and an integrity tool for users to check their builds for risk. It is recommended that the fixes are applied as soon as possible.  The US Cybersecurity and Infrastructure Security Agency (CISA) first issued an alert on the exploitation of Pulse Connect Secure products on April 21 and has since updated its guidance.   In other alerts this week, the FBI has warned of ongoing attacks using Fortinet/FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, FortiOS CVE-2019-5591). In May, an APT group managed to leverage these bugs to access a web server hosting a domain for a US municipal government.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More