Information Technology

Microsoft has released SimuLand, an open-source project which aims to help security teams reproduce known attack scenarios – and test just how good Microsoft’s core security products are. SimuLand is a set of lab environments that allow researchers to test their Microsoft defenses. The framework can be used by researchers to test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections. Microsoft plans to add more attack scenarios in future, but said the aim of the project is to help security teams understand the underlying behavior and functionality of adversary tradecraft, and identify mitigations and attacker paths by documenting preconditions for each attacker action, and thus validate and tune detection capabilities.Currently, it only includes the environment for “Golden SAML AD FS Mail Access” — an attack on Microsoft’s Active Director Federation Services (AD FS) authentication scheme. That’s a notable one, which affects Microsoft 365, and something similar was used in conjunction with the Solar Winds software supply chain attack that impacted FireEye and Microsoft.   The US and UK accused Russian intelligence of the SolarWinds attack. As FireEye explained last month, the hackers stole the token-signing certificate from an organization’s AD FS server, which let them bypass MFA and access Microsoft cloud services as if they were an approved user. It took advantage of the design of processes for on-premise AD servers authenticating to cloud-based Microsoft 365 services, such as email.   According to Microsoft, its tool will allow researchers to “simulate an adversary stealing the AD FS token signing certificate, from an “on-prem” AD FS server, in order to sign SAML token, impersonate a privileged user and eventually collect mail data in a tenant via the Microsoft Graph API.”Microsoft promises that SimuLand will “extend threat research using telemetry and forensic artifacts generated after each simulation exercise.”

Future improvements to the project include: A data model to document the simulation steps in a more organized and standardized way.A CI/CD pipeline with Azure DevOps to deploy and maintain infrastructure.Automation of attack actions in the cloud via Azure Functions.Capabilities to export and share telemetry generated with the InfoSec community.Microsoft Defender evaluation labs integration.Azure Sentinel, Microsoft’s cloud-based security information and event management (SIEM) system is also in focus. SimuLand will help users map out threats in Sentinel when investigating an attack.  More

The Phorpiex malware botnet has lurked around the internet for years and is used to deliver ransomware, spam email and more, but now Microsoft’s security team are taking a closer look at it. 

ZDNet Recommends

The botnet has been known for using old-fashioned worms that spread via removable USB drives and instant messaging apps, began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads, Microsoft said. The botnet’s geographic targeting for bot distribution and installation expanded, too, it said: more recent activity shows a shift to a more global distribution.Phorpiex itself came under attack in early 2020 after someone apparently hijacked its backend and started uninstalling the spamming functionality from infected hosts. The hijacker even developed a popup warning users to install antivirus and update their computers. Security firm Check Point noted in November 2020 that Phorpiex had been distributing the Avaddon ransomware, a then-new ransomware service rented out for other cybercrime groups to infect targets. “Phorpiex is one of the oldest and most persistent botnets, and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams,” Check Point malware analysts noted.  One reason Microsoft is taking an interest in it is that the Phorpiex bot disables Microsoft Defender antivirus to maintain persistence on target machines.  “This includes modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists,” Microsoft notes in a blogpost. 

Enterprise customers can prevent these attempts by enabling tamper protection in Microsoft Defender for Endpoint, Microsoft’s cloud-based advanced security feature, which will automatically revert changes made by the bot.  According to Check Point, in January Phorpiex was the second largest botnet to Emotet botnet, which law enforcement decommissioned in January and defanged in April.  Microsoft notes that from December 2020 to February 2021, the Phorpiex bot loader was encountered in 160 countries. The highest level of encounters were in Mexico (8.5%), Kazakhstan (7.8%), and Uzbekistan (7.3%). Unusually, US encounters only accounted for 2.8%.”The combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first glance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains, command-and-control (C2) mechanisms, and source code,” Microsoft threat researchers note. While the bot loader targets computers in Mexico and western Asia, its spam and extortion campaigns target multiple regions and languages. “We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one such cryptocurrency profit volume from a campaign in late February 2021 targeting English speaking users is below, with the subject ‘Payment from your account’,” says Microsoft.  The group made $13,000 in just 10 days using social engineering tricks like claiming in messages there were security bugs in Zoom. The scammers claimed the bug allowed them to capture video material, which they would use to extort victims. Ransomware distribution possibly presents the greatest threat. The Avaddon ransomware, distributed by Phorpiex, “performs language and regional checks for Russia or Ukraine before running to ensure only favored regions are targeted,” according to Microsoft.Avaddon appears to be more of an automated type of ransomware than hands-on-keyboard operated ransomware. Avaddon usually demands a ransom of $700 worth of Bitcoin.  More

Dublin’s High Court has issued an injunction against the Conti ransomware group to stop data belonging to Ireland’s health service from becoming public. 

In what appears to be an effort at damage control, the injunction against “persons unknown” would make it illegal for information stolen during a ransomware attack against the Health Service Executive (HSE) from being shared, processed, sold, or otherwise published online, as noted by the Financial Times. The ransomware attack took place on May 14. The HSE pulled all of its systems offline to try and mitigate the spread of infection, causing widespread disruption to healthcare services as a consequence.  Ireland’s HSE is responsible for healthcare services across Ireland. While the ongoing COVID-19 vaccination program and ambulance services carried on as normal, some outpatient services — including those offered by maternity units and X-rays — were canceled.  In addition, the healthcare service has warned that delays are possible in receiving COVID-19 test results.  Irish government officials have branded the attack, thought to be the responsibility of the Conti ransomware group, as possibly one of the most “significant” cases of a cyberattack against Ireland.  A ransom payment was sought. The FT says the amount requested was $20 million, but in line with Irish policy, officials say it will not be paid. 

“This criminal ransomware attack has had a significant impact on hospital appointments and there continues to be major disruptions,” the HSE says. “We are asking the public to be patient with us, to bear with us, and be aware that our staff are working around the clock to ensure patients receive the best and safest possible care in these circumstances.” The impact of encrypted hospital systems, especially in a time of a global pandemic, is profound enough that the ransomware operators have reportedly offered the HSE a decryption key without payment. If the tool works, this would allow the healthcare service to potentially regain access to encrypted systems, but there is no guarantee that it will be usable. The decryption software is currently undergoing a technical examination.  However, this does not mean Conti has given up in its extortion attempt of the HSE. Monday is reported to be the deadline for a potential public data leak, or sale, of the 700GB dataset Conti claims to have stolen. HSE CEO Paul Reid told the court that all of the organization’s data is “potentially compromised,” according to Independent.ie.The health service is currently working to rebuild its crippled IT system.  “Slow but steady progress is being made in assessing the impact and beginning to restore HSE IT systems,” the service says. “This work will take many weeks and we anticipate major disruption will continue due to the shutdown of our IT systems.” In the meantime, a doctor, speaking to Malwarebytes, has spoken of the burden the ransomware attack has placed on staff already overstretched due to the pandemic and a backlog of cases.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

One of the largest insurance companies in the United States, CNA Financial, reportedly agreed to a $40 million payment to restore access to its systems following a ransomware attack. 

According to Bloomberg, the $40 million payment — which is $10 million more than the highest attempted demand of $30 million in 2020, already double the highest attempted extortion figure of 2019 at $15 million — was paid out two weeks after ransomware crippled CNA Financial’s networks. People close to the matter said during the cyberattack, employees were locked out of the company’s systems and confidential data was stolen.  CNA said that a “sophisticated cybersecurity attack” was detected on March 21 that caused “network disruption and impacted certain CNA systems.”  In an update on May 12, the insurance giant said that third party cyberforensics experts were investigating the incident, in which the ransomware group appears to have conducted all of its activities prior to March 21 and have not accessed the CNA environment since.  Ransomware groups may perform reconnaissance and lurk in a network to quietly exfiltrate information before encryption begins in order to perform a double-extortion attack, in which companies that refuse to pay in order to decrypt their systems are then faced with the prospect of sensitive data being published online. The company has remained tight-lipped concerning what information was stolen, but did say that “we do not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data — including policy terms and coverage limits — is stored, were impacted.”

CNA has since restored its systems and is fully operational.  In a statement, a CNA spokesperson said that the insurance firm will not be commenting on the ransom, adding that CNA “followed all laws, regulations, and published guidance” while handling the cyberattack.  Furthermore, the company consulted with the FBI and Office of Foreign Assets Control (OFAC). This may not be enough to placate US lawmakers or law enforcement as the practice of paying cyberattackers is not encouraged — and only serves to keep ransomware deployment a lucrative business.  Colonial Pipeline, a crucial provider of fuel to close to half of the East Coast, has confirmed a $4.4 million payout to the DarkSide ransomware group following a debilitating attack that interrupted fuel supplies for close to a week across the United States. Colonial Pipeline CEO Joseph Blount said that paying up was the “right thing to do for the country.” In related news this week, cyber insurance provider AXA also became the target of a ransomware group, known as Avaddon. Operations in Thailand, Malaysia, Hong Kong, and the Philippines were disrupted and the cybercriminals claim to have stolen 3TB in data including customer medical reports, claim records, bank account document scans, ID cards, and other datasets. The information has not been published at the time of writing.The ransomware attack took place just days after AXA announced the discontinuation of support for ransomware extortion claims in France.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The Department of Home Affairs has brushed aside industry concerns that the Security of Critical Infrastructure Act (SoCI Act) duplicates obligations found in the Telecommunications Sector Security Reforms (TSSR). As far as the department is concerned, rather than overlapping regimes, there would be “one continuum” of regulation where the Telecommunications Act is paramount, but parts of the SoCI Act would be “activated” to fill in gaps. “The explanatory memorandum for the Security of Critical Infrastructure Act amendments very clearly states that, where primary legislation exists that regulates the activities of a critical infrastructure sector, that primary legislation remains operant,” Home Affairs deputy secretary for national resilience and cybersecurity Marc Ablong told the Parliamentary Joint Committee on Intelligence and Security on Thursday. “To the degree that we need to look at amendments to that act — minor in nature — to ensure that it is consistent with the positive security obligations that are set out in the [SoCI] Bill, we would do that to the Telco Act.” Two such gaps in the Telco Act that Ablong identified were the ability of government to assist companies facing a significant cyber attack and the enhanced cybersecurity obligations. “We don’t consider them to be rival regulatory regimes but parts of the one continuum that starts with companies very much recognising that they have a unique position as telcos. To the degree that the existing regulatory regime set out in part 14 can suffice, it will suffice,” he said. “To the degree that it can’t suffice, that’s when the Security of Critical Infrastructure Act amendments will apply. But we don’t intend this to come as any surprise to the industry.”

One area where the TSSR is ambiguous is its requirement for carriage service providers to “do their best” to protect telecommunication networks and facilities, and both telcos and the department believe it needs clarification. “We’d suggest that a higher standard than just doing your best might be required,” Ablong said. “To the degree that the language in the TSSR says, ‘Do your best,’ we might replace it with, ‘You are required to meet standard X,’ whatever the standard is that we and the industry come to a common view on in the co-design process.”How the positive security obligation looks for each sector will be a co-design process with industry of looking at primary legislation and working out what needs to be added, the deputy secretary said. “The obligation for the telco sector would be different to that for the banking sector, for instance,” Ablong said. “The process of co-designing with industry and providing them with information about, ‘Here are the threats we think your industry will face over the foreseeable future; this is where we think your primary legislation requires you, or obliges you, to meet a certain security requirement; and this is what more we think you could add to your ability to meet an obligation under the Critical Infrastructure Act,’ is very much a co-design process.”In the end, Ablong said the solution could be to replace the “Do their best” wording with a standard, whether it is the Essential Eight from the ACSC, or a standard from NIST or the UK’s National Cyber Security Centre. “Ultimately, in the conversations that we have been having with industry … the first question is: To what standard do you hold yourself as an industry? Then you would ask: What are the measures that you’re using to assure yourself that, against the risks which we’ve talked about, you are able to deal with those risks?,” he said. “If somebody says to me, ‘I use the NIST standards’ and another industry says, ‘I use the NCSC standards from the UK’, both of those are suitably robust that, for most intents and purposes, we would probably say, ‘That’s good enough’.” Earlier in the day, Telstra and Optus raised concerns that the Critical Infrastructure Centre needed to provide more proactive advice to telcos, rather than just responding to alerts from telcos when changes to services, systems, or equipment could have a “material adverse effect” on their ability to meet TSSR obligations.”Currently we get really good and detailed advice, but it has to be triggered by us putting in a notification or providing a briefing, and then that advice will come back,” Telstra national cybersecurity principal Jennifer Stockwell said. “It will be very detailed and will help us to understand the risk for that particular project, but it would be very helpful to have more upfront, because then, when I’m working day to day with our network engineers and operational staff, I can provide them with the guardrails to start with, and that really helps decision-making and speeds up projects.” In December, Optus revealed it was responsible for over half of TSSR notifications. “Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said at the time. “The time for the resolution of these notifications has varied between 30 days to eight months.” On Thursday, Telstra regulatory principal John Laughlin said Australia’s largest telco took a different approach. “We have deliberately taken an approach where we notify on mitigated risk,” he said. “We only lodge a notification after all the systems and controls are in place, where we still believe that there’s a material adverse effect to our ability to meet the security obligation.” Stockwell added that Telstra only notifies on the end solution. “The unmitigated risk is a risk that is not going to be realised, provided we have the adequate mitigating controls in place,” she said. “It’s really important to mention that early engagement with the critical infrastructure centre and the ability to have that early engagement is critical to inform those controls so that we put all the appropriate mitigations in place, taking into account the full understanding of the threat landscape.” Whether through bad preparation or obfuscation, Laughlin was unable to provide the committee with the number of notifications Telstra had provided, except to say it was “substantially less” than Optus. The differences in notification thresholds is one of the reasons Home Affairs wants to have a “conversation” with telcos in the co-design phase to see if the government and private sector have different views on risk. “If they have been thinking about it purely from the perspective of, for instance, somebody’s ability to cut the trunk cables and therefore their inability to provide a service to a portion of Australia, we would be equally concerned about the ability of somebody to hack in or intercept communications carried over their networks, but if they don’t consider that to be a material risk, then they’re not going to notify us or report about those sorts of things,” Ablong said. The deputy secretary added the Critical Infrastructure Bill was necessary in light of the recent Colonial Pipeline incident. “The critical infrastructure amendments … very much cover what is required in order for Australia to have greater assurance that the sorts of things that we saw with the Colonial Pipeline, for instance, in the United States are less likely to happen here, that we have taken all necessary measures to protect our critical infrastructure and for the entities involved in those sectors of the economy that might be considered critical infrastructure to have protected themselves.” On the other side of the fence is the Communications Alliance, which has put forward a proposal to either repeal the TSSR notification obligations or exempt telcos that fall under the Critical Infrastructure Bill. “We would very much prefer the certainty that comes with repealing provisions that could create duplication, as opposed to relying on the goodwill and best endeavours of agencies over time to avoid that through positive decisions of their own,” Comms Alliance CEO John Stanton said. “Time moves on, people move on, and it would be preferable from our point of view if the requirements and obligations were clear and in legislation rather than subject to executive decision-making.” Related Coverage More

Image: Getty Images/iStockphoto
The Australian Communications and Media Authority (ACMA) has issued formal notices to a trio of telcos after finding each had failed to validate customer details when moving between carriers. Medion Mobile, which powers Aldi Mobile and is owned by Lenovo, was caught out on 53 occasions, Telstra was found to have breached its obligations 52 times, and Optus was pinged for one violation. “Historically it has been too easy to transfer phone numbers from one telco to another. All a scammer needed to hijack a mobile number and access personal information like bank details was a name, address and date of birth,” ACMA chair Nerida O’Loughlin said. “We are cracking down on telcos that don’t follow the rules and leave customers vulnerable to identity theft.” ACMA said those who experienced mobile number fraud typically lost more than AU$10,000, and struggle to “regain control of their identities for long periods of time”. Since new rules on validating customer information came into effect early last year, the regulator said some telcos have reported the practice has stopped. ACMA said if a person believes they have fallen victim to such an attack, to contact their telco and bank, change passwords, report the act to the police, Scamwatch, and the Australian Cyber Security Centre.

As usual with telco rule breaches, the ACMA warned further violations could see a AU$250,000 fine per breach. Earlier in the week, Lycamobile paid a AU$600,000 fine levelled at it, after ACMA found what it called “prolonged and large-scale customer data failures, which could have put people in danger”. In its investigation, ACMA found 245,902 instances where the telco failed to pass on information to Telstra so it could maintain the Integrated Public Numbers Database (IPND) used by emergency services when responding to 000 calls, as well as the Emergency Alert Service. ACMA said there were 5,671 instances where Lycamobile did not upload data to the IPND for “between three days and nine years” after gaining a customer. It also did not upload complete and accurate information for 240,231 customers, with over 210,000 customers being listed as connected in the IPND when they were disconnected. Related Coverage More

Palo Alto Networks published better-than-expected third quarter financial results on Thursday and raised its outlook for the fiscal year. Non-GAAP net income for the quarter was $139.5 million, or $1.38 per diluted share. Revenue grew 24 percent year-over-year to $1.1 billion.Analysts were expecting earnings of $1.28 per share on revenue of $1.06 billion. “The work-from-home shift earlier in the year and recent cybersecurity issues have increased the focus on security,” chairman and CEO Nikesh Arora said in a statement. “Coupled with good execution, this has driven great strength across our business with Q3 billings growth accelerating to 27% year over year. In particular, we saw a number of customers make large commitments to Palo Alto Networks across our three major platforms. We are pleased to be raising our guidance for fiscal year 2021 as we see these trends continuing into our fiscal fourth quarter, bolstering our confidence in our pipeline.”Billings for the quarter reached $1.3 billion. Deferred revenue grew 30 percent year-over-year to $4.4 billion. For the fiscal fourth quarter 2021, the company expects total revenue in the range of $1.165 billion to $1.175 billion, representing year-over-year growth of between 23 percent and 24 percent.For the fiscal year 2021, the company now expects total revenue in the range of $4.20 billion to $4.21 billion, representing year-over-year growth between 23 percent and 24 percent.

Tech Earnings More

Three healthcare institutions in Canada, Ireland and New Zealand are in the midst of security incidents this week, highlighting the perilous cybersecurity landscape within some of the world’s most important organizations. 

ZDNet Recommends

Ireland’s Department of Health was attacked twice in the last week, eventually shutting down their entire IT system after a ransomware attack last Thursday. The same group also hit the Health Service Executive with a ransomware attack. Chief Operations Officer of the Health Service Executive Anne O’Connor told The Journal that the office had been hit by the Conti ransomware.  According to RTÉ and the BBC, dozens of outpatient services were cancelled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. Irish Foreign Minister Simon Coveney called it a “very serious attack” while Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”The leaders of the Irish government met on Monday and said the National Cyber Security Centre had brought in Europol, private sector cybersecurity experts and hundreds of others to help solve the ransomware attack. The Journal reported that 85,000 computers were turned off once the attack was noticed and that cybersecurity teams are going through all 2,000 different IT systems one by one “Those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen. These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data,” the government statement said. “The significant disruption to health services is to be condemned, especially at this time. Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused.”

Emergency services are still operating in the country but are now busy because of the IT outage. Many radiology appointments are cancelled, according to a government statement, and there are now delays in COVID-19 test result reporting as well as delays with issuing birth, death or marriage certificates. Pediatric services, maternity services, and outpatient appointments in certain hospitals have all been affected by the attack, according to The Journal. Dublin’s Rotunda Hospital, The National Maternity Hospital, St Columcille’s Hospital, Children’s Health Ireland (CHI) at Crumlin Hospital, The UL Hospitals Group have all reported varying levels of IT outages. Health Minister Stephen Donnelly added this week that the HSE payment system was downed by the attack and that the 146,000 people working in the healthcare industry will face issues with full payment. On Thursday, the Financial Times reported that the people behind the ransomware attack were demanding $20 million to restore the system and had already started leaking private information about patients online. Irish Prime Minister Micheál Martin previously told the BBC that the government would not pay the ransom. New Zealand is facing a similar issue, with IT services for their healthcare system reporting a cybersecurity incident that completely knocked out the entire system. Clinical services at hospitals in Waikato, Thames, Tokoroa, Te Kuiti and Taumarunui have all been affected by the attack. Even the landline phone services are down, and the government has said some outpatient appointments may need to be cancelled. More than 30 elective surgeries were cancelled in recent days due to the outage. In addition to the attacks on the Irish and New Zealand healthcare systems, Canadian insurer Guard.me, one of the world’s largest insurance carriers, is still dealing with a downed website following “suspicious activity was directed at the guard.me website.” The site is still down, with a lengthy message explaining that they took down their website as a cautionary measure. Guard.me provides students who study abroad with health coverage internationally and the company has already sent out a letter to students informing them of the attack, according to Bleeping Computer.  The letter admits that the “suspicious activity” they caught was actually someone gaining access to a database that contained the dates of birth, genders, phone numbers, email addresses, mailing addresses, passwords of students. Cybersecurity expert Mathieu Gorge, CEO of Ireland-based VigiTrust, said ransomware gangs and other cybercriminals have proven repeatedly through attacks on healthcare systems during the pandemic that they have little regard for human life or privacy.  

“What’s most worrying about this is that it has established a trend that you can attack critical infrastructure anywhere and everywhere,” Gorge said. “And these aren’t necessarily sophisticated attacks by nation-states; they are relatively low-skill attacks with huge consequences exploiting attack surfaces which frankly should be better protected.”Saryu Nayyar, CEO of cybersecurity company Gurucul, said ransomware gangs have now perfected the art of monetizing every aspect of an attack. On top of the ransoms they make from attacks, medical records, she said, hold highly sensitive personal data that can be used to socially engineer money from fragile patients who are not cyber savvy like the elderly, not to mention the obvious identity theft.”The fact that the Irish government will not give in to the attacker’s demands is a sign that they are confident they have backups to sufficiently restore their systems and data. But the cybercriminals will likely publicize their stash of sensitive patient health data just because they can and they’re evil,” Nayyar added.  “Usually, the ransom price is determined by the amount of cybersecurity insurance the victim organization has. Perhaps the Irish government doesn’t have cybersecurity insurance, but in this case it doesn’t matter since Conti is known to operate on the basis of ‘double extortion’ attacks, so the data would be made public anyway.”Zerto vice president of product marketing Caroline Seymour noted that even when organizations have backups or recovery systems, they can be days or weeks old, leading to inevitable gaps and data loss that can be highly disruptive as well as add significantly to the overall recovery cost. Many other experts noted that the rush to digitize hospital services across the world has left almost every country vulnerable to ransomware operators eager to hold critical arms of governments hostage. 

With the millions of dollars being made through ransomware, the gangs behind them have become more methodical and are now run like businesses with scalable campaigns, according to Hank Schless, senior manager at Lookout.”Historically, it was far more likely that attackers would try to brute force their way into the infrastructure and exploit any weak points in its defenses,” Schless explained. “Every day, hundreds if not thousands of users connect to corporate infrastructure from unmanaged devices and networks. They also expect to have seamless access to a mix of on-premises and cloud-based services in order to get their jobs done. Since this all takes place outside the safety of the traditional perimeter, it could open countless backdoors into your infrastructure.” More