Information Technology

Following major cyberattacks against central government bodies in Brazil, initial investigations have found that malicious actors have used civil servant credentials to access systems.

The finding is among a series of warnings and recommendations issued by the presidency’s Institutional Security Office (GSI). Initially released last Wednesday (December 8) and edited yesterday (December 14), the alert is aimed at security managers across the federal government. “Some intrusions have occurred using legitimate administrator [credentials],” the document noted, adding this meant attackers didn’t have to perform any actions to access system privileges. The publication and subsequent editing of GSI’s alert emerge as Brazil’s Ministry of Health (MoH) struggles to re-establish its systems following a major ransomware attack last Friday. Systems such as ConecteSUS, which holds COVID-19 vaccination data and certificates, remain unavailable. GSI recommended a series of security measures to be adopted by departments in the event of “malicious actions or improper use of credentials”. As well as notifying the government’s cyberattack prevention and response center, instructions included strengthening the use of multi-factor authentication tools for all cloud system administrators. The security office also recommended the re-evaluation of backup policies, as well as requesting cloud providers to change master passwords and implement additional security layers to mitigate the risk that malicious actors utilize high-privilege passwords.

Security managers should control metadata access settings in cloud environments, the GSI document noted, and start internal campaigns to get staff to change their passwords for stronger alternatives. In addition, the document suggests reducing the level of network privileges as a means to limit the number of staff able to make major system changes. Recommendations also include blocking access to systems for public servants away from work for reasons such as vacation.The Ministry of Health is still working to bring systems back online after a second cyberattack “caused turmoil” at Datasus, the department’s IT function. On Wednesday (December 15), the MoH said in a statement teams were working on re-establishing the system for vaccine certification as soon as possible but did not provide an estimate of when that would happen. In addition, the MoH alerted the population about false emails about a supposed service whereby vaccine certificates would be emailed to the population. The department reiterated the only way to get the certificates is via the ConecteSUS app or online. Members of the Lapsus$ group, who has claimed responsibility for the cyberattacks against the Ministry of Health over the last few days, started to dump files online that were allegedly extracted from the MoH’s systems, according to Brazilian security website CISO Advisor. So far, 293MB worth of data has already been dumped, and the package is composed mainly of data tables, Javascript code and apparently no citizen data. In an exchange with CISO Advisor, the perpetrators said they will dump an additional 10MB online soon but did not say when. More

If there ever was any doubt over the severity of the Log4j vulnerability, director of US cybersecurity and infrastructure agency CISA, Jen Easterly, immediately quashed those doubts when she described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”. On Friday 9 December, the information security world was rocked by the disclosure of Log4j (CVE-2021-44228), a zero-day vulnerability in the widely used Java logging library Apache Log4j, which allows attackers to remotely execute code and gain access to machines.Not only is the vulnerability relatively simple to take advantage of, the ubiquitous nature of Log4j means that it’s embedded in a vast array of applications, services and enterprise software tools that are written in Java – and used by organisations and individuals around the world.LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW That means after a long and exhausting year, tech staff find themselves scrambling to fix yet another critical vulnerability.Even worse, in the case of Log4j, it may be extremely hard for even security professionals to understand whether this code is part of their applications and thus a potential risk. Like much open-source software, it is built-in down the supply chain. Many vendors are still attempting to find out if their products are affected.That’s why some have likened Log4j to Heartbleed, a vulnerability in SSL that affected many major websites and services, but was also difficult to detect and manage. Like Heartbleed, the consequences of which have continued to unfurl for years, there’s already the fear that Log4j vulnerabilities could be a long-term problem.Not that hackers have waited a moment before attempting to take advantage of a newly disclosed vulnerability, of course.

Within just a few hours, there were already a vast number of attempts at exploiting Log4j vulnerabilities. What’s more, the malicious activity being tracked has only continued to rise – one cybersecurity company says it took just days for attackers to target almost half of corporate networks. Some of the first payloads dropped were cryptominers – malware that uses the processing power of the infected device to mine for cryptocurrency. But much more dangerous threats soon followed. These included instances of penetration-testing tool Cobalt Strike being installed – something commonly used by attackers to steal usernames and passwords that are necessary to move around networks.That was followed by reports of ransomware that is exploiting Log4j. Take Khonsari, which is an incredibly basic form of ransomware, but ransomware groups are quick to adopt any techniques that increase the chances of compromising networks and successfully demanding a ransom, meaning more ransomware attacks leveraging Log4j are likely to follow.Then came the nation state-backed hacking groups looking to exploit the vulnerability – like they had with SolarWinds and Microsoft Exchange. Hacking operations working out of China, Iran, North Korea and Turkey were spotted attempting to leverage Log4j – and they’ll continue to make these moves for as long as they can.Work has already begun to repair the damage. CISA has mandated that federal agencies must patch the Log4j vulnerability within days. But for everyone else, the process could take years and there will be plenty of instances where, despite the critical vulnerabilities, some systems will never get the patch.Just look at EternalBlue, the catalyst behind WannaCry and NotPetya in 2017, which still regularly features among the most commonly exploited vulnerabilities and, years later, is still used by cyber criminals to launch attacks.Ultimately, as long as there are systems that are at risk from the Log4j vulnerability, there will be cyber criminals or nation state-backed hackers out there who will look to take advantage.And even if a high-profile organisation is under the impression that it’s protected against the vulnerability, there’s the possibility that attackers could compromise a supplier that doesn’t manage its IT as thoroughly. Criminals could then exploit that gap as a gateway to the larger, more lucrative target.LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE It’s ultimately a quirk of how the internet works that so much harm could potentially come from an open-source project, operated and managed on a voluntary basis. The internet is a crucial part of our everyday lives, but instances like this Log4j vulnerability demonstrate how vulnerable it can be.Some experts will call for more rules and regulations over how the internet and computers ultimately work and fit together. That would be a difficult conversation, particularly given how so much of the infrastructure that helped make the internet what it is today is ultimately built from passion projects and volunteer schemes.Cybersecurity professionals were already burned out after a difficult few years. Another major cybersecurity event in the run up to Christmas won’t have helped anything.Unfortunately, Log4j will likely remain an issue through 2022 and beyond – we’re probably only scratching the surface of the risk and the hacking campaigns that will attempt to exploit this vulnerability.The best thing organisations can do, for now, is to follow the expert advice and apply updates to mitigate the potential damage – and then hope that similar vulnerabilities don’t emerge elsewhere any time soon to cause more damage and more burnout. More

Google has explained how surveillance company NSO Group developed an exploit that would allow users of its software to gain access to an iPhone and install spyware – without a target ever even clicking a link. Last month, the US Department of Commerce added NSO Group to its “entity list”, largely banning it from US markets due to evidence it supplied spyware to foreign governments that used it to target government officials, journalists, business people, activists, academics, and embassy workers. In late November, Apple filed for a permanent injunction banning NSO from using any of its software, services or devices. 

Now Google’s Project Zero (GPZ) has analyzed a relatively new NSO ‘zero-click’ exploit for iOS 14.7.1 and earlier, and deemed it “one of the most technically sophisticated exploits we’ve ever seen”.SEE: This mysterious malware could threaten millions of routers and IoT devicesGPZ’s Ian Beer and Samuel Groß described the NSO’s exploit as both “incredible” and “terrifying”. The exploit creates a “weird” emulated computer environment within a component of iOS that handles GIFs but doesn’t normally support scripting capabilities. This exploit, however, allows an attacker to run JavaScript-like code in that component in order write to arbitrary memory locations – and remotely hack an iPhone.   Security researchers at Canada-based Citizen Lab reported the bug to Apple as part of its joint research with Amnesty International into NSO’s Pegasus mobile spyware package, which can be installed after using an exploit that jailbreaks an iPhone.Apple patched the memory corruption bug, tracked as CVE-2021-30860, in the CoreGraphics component in iOS 14.8 this September. 

Citizen Lab also shared a sample of NSO’s iMessage-based zero-click exploit for GPZ researchers to analyze. The attack exploits the code iMessage uses to support GIF images. GPZ’s Beer and Groß said it showed “the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states”. The initial entry point for Pegasus on iPhone is iMessage. This means that a victim can be targeted just using their phone number or AppleID username, the report notes. Even advanced users who know not to click links can be compromised.The weakness iMessage exposed comes via extra features Apple enabled for GIF images. Apple uses a ‘fake gif’ trick” in iOS’s ImageIO library to make normal GIF images loop endlessly. That trick also happens to introduce over 20 additional image codecs, giving attackers a much larger surface to attack. “NSO uses the “fake gif” trick to target a vulnerability in the CoreGraphics PDF parser,” Beer and Groß explain. The PDF parser is an interesting target. PDF historically was a popular target for exploitation because it was complex software and everyone used it. Also, Javascript in PDFs made it easier to exploit, they explain. As the GPZ researchers note: “The CoreGraphics PDF parser doesn’t seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser…”NSO found that powerful tool in Apple’s use of the JBIG2 standard for compressing and decompressing images. The standard was originally used in old Xerox scanners to efficiently transform images from paper into PDF files of just a few kilobytes in size.SEE: A winning strategy for cybersecurity (ZDNet special report)Among several crafty tricks NSO developed was the emulated computer architecture that relied on the JBIG2 portion of Apple’s CoreGraphics PDF parser. That emulated computer environment allowed them to write to arbitrary memory addresses with a scripting language not unlike JavaScript, despite JBIG2 lacking scripting capabilities. “JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory,” explain Beer and Groß.”So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.” More

A suspected, state-sponsored Iranian threat group has attacked an airline with a never-before-seen backdoor. 

On Wednesday, cybersecurity researchers from IBM Security X-Force said an Asian airline was the subject of the attack, which likely began in October 2019 until 2021.  The advanced persistent threat (APT) group ITG17, also known as MuddyWater, leveraged a free workspace channel on Slack to harbor malicious content and to obfuscate communications made between malicious command-and-control (C2) servers.  “It is unclear if the adversary was able to successfully exfiltrate data from the victim environment, though files found on the threat actor’s C2 server suggest the possibility that they may have accessed reservation data,” IBM says.  The Slack messaging Application Program Interface (API) was abused by a new backdoor deployed by the APT named “Aclop.” Aclip is able to harness the API to both send data and receive commands – with system data, screenshots, and files sent to an attacker-controlled Slack channel.  Overall, three separate channels were used by the backdoor to quietly exfiltrate information. Once installed and executed, the backdoor collected basic system data including hostnames, usernames, and IP addresses which were then sent to the first Slack channel after encryption.  The second channel was utilized to check for commands to execute, and the results of these commands – such as file uploads – were then sent to the third Slack workspace. 

While a new backdoor, Aclip is not the only malware known to abuse Slack – which should be of note to enterprise teams as the tool is valuable for those now often working from home or in hybrid setups. Golang-based Slack C2bot also leverages the Slack API to facilitate C2 communications, and the SLUB backdoor uses authorized tokens to talk to its C2 infrastructure. In a statement, Slack said, “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service.” “We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which Check Point called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.” 

Because of the length of wallet addresses, most systems copy a wallet address and allow you to paste it in during transactions simply. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address. Researchers with Check Point said they have seen 969 transactions intercepted, noting that Twizt “can operate without active command and control servers, enabling it to evade security mechanisms,” meaning each computer that it infects can widen the botnet.In the last year, they have seen 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens stolen by Twizt operators, amounting to about $500,000. In one instance alone, 26 ETG was taken. Between April 2016 to November 2021, Phorpiex bots hijacked about 3,000 transactions worth nearly 38 Bitcoin and 133 Ether. The cybersecurity company noted that this was only a portion of the attacks taking place. Phorpiex was originally known as a botnet used for sextortion and crypto-jacking but evolved to include ransomware. Check Point said Phorpiex has been operating since at least 2016 and was initially known as a botnet that operated using IRC protocol. “In 2018-2019, Phorpiex switched to modular architecture and the IRC bot was replaced with Tldr — a loader controlled through HTTP that became a key part of the Phorpiex botnet infrastructure. In our 2019 Phorpiex Breakdown research report, we estimated over 1,000,000 computers were infected with Tldr,” Check Point explained. In May, Microsoft’s Defender Threat Intelligence Team released a lengthy blog post warning that Phorpiex “began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads.”

In August, the activity of Phorpiex command and control servers dropped sharply, and one of the people behind the botnet posted an ad on the darknet offering the source code for sale. Check Point’s Alexey Bukhteyev told The Record that even though the command and control servers were down, any buyer of the source code could set up a new botnet using all of the previously infected systems. It is unclear if the botnet was actually sold, but Check Point said the command and control servers were back online at another IP address within weeks. When the command and control servers were restarted after their hiatus in August, they began distributing Twizt, which enables the botnet “to operate successfully without active command and control servers, since it can operate in peer-to-peer mode.””This means that each of the infected computers can act as a server and send commands to other bots in a chain. As a really large number of computers are connected to the Internet through NAT routers and don’t have an external IP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive incoming connections,” Check Point explained.”The new bot uses its own binary protocol over TCP or UDP with two layers of RC4-encryption. It also verifies data integrity using RSA and RC6-256 hash function.”Now, Check Point said the new features to Twizt make them believe the botnet “may become even more stable and, therefore, more dangerous.” Check Point has seen attacks stay consistent even when the command and control servers are inactive. Over the last two months, there has been an uptick in attacks, with incidents hitting 96 different countries. Alexander Chailytko, cybersecurity research & innovation manager at Check Point Software, said two main risks are involved with the new variant of Phorpiex. “First, Tiwzt is able to operate without any communication with C&C; therefore, it is easier to evade security mechanisms, such as firewalls, in order to do damage. Second, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero,” Chailytko said. “This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected. I strongly urge all cryptocurrency users to double-check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands.”Check Point urged cryptocurrency owners always to double-check the original and pasted addresses to make sure they match. People should also send test transactions before any large trades. Researchers said the Phorpiex crypto-clipper supports more than 30 wallets for different blockchains in the report. They also noted that the botnet operators may be in Ukraine because evidence indicates that the bot does not execute if the user’s default locale abbreviation is “UKR.”Even though it served a variety of purposes, Check Point’s report says Phorpiex was originally not considered a sophisticated botnet. “All of its modules were simple and performed the minimal number of functions. Earlier versions of the Tldr module did not use encryption for the payloads. However, this did not prevent the botnet from successfully achieving its goals. Malware with the functionality of a worm or a virus can continue to spread autonomously for a long time without any further involvement by its creators,” Check Point explained.”We showed that a cryptocurrency clipping technique for a botnet of this scale can generate significant profits (hundreds of thousands US dollars annually) and does not require any kind of management through command and control servers. In the past year, Phorpiex received a significant update that transformed it into a peer-to-peer botnet, allowing it to be managed without having a centralized infrastructure. The command and control servers can now change their IP addresses and issue commands, hiding among the botnet victims.” More

Hundreds of victims involved in the non-consensual release of explicit videos online have been awarded video rights and millions of dollars in damages. 

On Wednesday, the US Department of Justice (DoJ) said that all rights to videos and images produced by pornography organizations GirlsDoPorn and GirlsDoToys are now awarded to the women who appear in the footage. GirlsDoPorn (GDP) and GirlsDoToys (GDT) have been the subject of a sex trafficking case launched by US prosecutors. Adult film actor and producer Ruben Andre Garcia admitted to participating in a scheme from roughly 2013 to October 2019 to use “force, fraud, and coercion” as tactics to make young women “engage in commercial sex acts,” according to the DoJ.Originally, women responded to adverts for clothed modeling work and were then told they would be paid between $3,000 and $5,000 for one-day, anonymized adult video shoots. Alongside Michael James Pratt, Matthew Isaac Wolfe, Theodore Wilfred Gyi, Valerie Moser, and others, Garcia lied to women — numbering in the hundreds in the US and Canada — promising that the videos produced would not be published online and their participation would be concealed. However, US prosecutors say the defendants in the case knew these representations to be “false” and a conspiracy between Garcia and the owners of GDP/GDT formed. 

GDP and GDT generated at least $17 million in revenue from millions of views on a subscription basis. Snippets of this illegally-obtained content were also uploaded to other adult websites, including PornHub, to lure additional subscribers to the GDP/GDT platforms. Under the terms of the order, US District Judge Janis Sammartino has ordered Garcia to pay $18 million in restitution, hand over the video and image rights, and will also serve 20 years in prison. “An important step in this long healing process is for the victims to be able to take back control of their lives,” commented FBI Special Agent in Charge Suzanne Turner. “This ruling helps to facilitate that shift while the FBI aggressively pursues the lone outstanding fugitive in this case — and its ringleader — Michael James Pratt.”The FBI is currently offering a reward of up to $50,000 for information leading to the arrest of Pratt, who is currently on the run. Pratt, a 36-year-old producer from New Zealand, is wanted to answer allegations of sex trafficking and child pornography. The case is ongoing and the next hearing is due to take place in March for motions related to Wolfe. In October, PornHub’s parent company settled with 50 women who accused the firm of being aware of the allegations against GDP/GDT but maintaining a partnership anyway. The terms of the settlement were not disclosed. Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Digital Transformation Agency (DTA) has been carrying out digital identity age verification trials for online alcohol purchases with selected providers in Australia since September, according to a Freedom of Information (FOI) request.FOI documents released by the Office of eSafety Commissioner indicated there were also plans to carry out similar trials for online gambling, with each private beta testing scheduled to operate for a three to six-month period.Scope to expand the trial in 2022 has also been proposed to include additional users, other Australian-based online alcohol, online gambling service providers, and R18+ online video games with “loot boxes”, and myGovID as an identity provider. The intention of the FOI request filed by Greg Tannahill dated September 29 sought to understand Mastercard’s proposed involvement in delivering or influencing the delivery of age verification services in Australia. It came off the back of Mastercard announcing just two days before the request was filed that it was working with the DTA to see how its digital identity service could enable Australians to digitally verify their age and identity.As part of the collaboration, Mastercard said it would work with the DTA to examine a series of private sector-led pilots and the impact its digital verification service could have on retailer and consumer experiences and expectations online.Mastercard announced the quiet expansion of the trial for its digital identification service, following the successful completion of phase one with partners Deakin University and Australia Post last year.  

Based on discussion notes about the trials between the DTA and eSafety Commissioner, DTA noted it was focused on “establishing systems that enhance privacy, security and safety — including by being least invasive to the user (i.e. simply determining that someone is 18+)”.”We prefer systems that are not an unnecessary burden to those wishing to access or services which are they are entitled to use,” the notes said.The DTA also highlighted that it flagged it was “interested in a market-based system that offers choice to consumers”.See also: Australia Post a ‘trusted’ service provider for government identificationAt the time of announcing its work with the DTA, Mastercard also said it applied for accreditation under the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity in Australia.If granted, Mastercard said would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In October, the federal government released an exposure draft for legislation that seeks to expand the application of Australia’s federal digital identity system to state and territory governments and the private sector.Under the Bill, the federal government is seeking to formally enshrine two voluntary schemes for entities that want to provide or rely on digital identity services: A federal government-run digital identity system and a new accreditation scheme that will be based on the existing TDIF system.Additionally, the federal government, state and territory governments, Australian companies and foreign companies registered with the Australian Securities and Investments Commission (ASIC) would be eligible to apply to join the two digital identity systems.Related Coverage More

In an investigation conducted by Australia’s Information Commissioner (OAIC), it has found the Australian Federal Police’s (AFP) use of the Clearview AI platform interfered with the privacy of Australian citizens. Clearview AI’s facial recognition tool is known for breaching privacy laws on numerous fronts by scraping biometric information from the web indiscriminately and collecting data on at least 3 billion people, with many of those people being Australian.From November 2019 to January 2020, 10 members of the AFP’s Australian Centre to Counter Child Exploitation (ACCCE) used the Clearview AI platform to conduct searches of certain individuals residing in Australia. ACCCE members used the platform to search for scraped images of possible persons of interest, an alleged offender, victims, members of the public, and members of the AFP, the OAIC said.While the AFP only used the Clearview AI platform on a trial basis, Information and Privacy Commissioner Angelene Falk determined [PDF] the federal police failed to undertake a privacy impact assessment of the Clearview AI platform, despite it being a high privacy risk project. By failing to do so, the OAIC said the AFP breached the Australian Government Agencies Privacy Code. It added that the AFP did not take reasonable steps to implement practices, procedures, and systems relating to ensure the Clearview AI platform complied with the Australian Privacy Principles as well.

Read more: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailedThe AFP submitted that it did not undertake privacy impact assessment as its use of Clearview AI platform was only under a “limited trial”. When investigating this decision, however, the OAIC said the AFP failed to provide any evidence that a project manager or trial participant conducted a threshold assessment to determine whether a privacy impact assessment was required. A threshold assessment is a preliminary assessment used to determine a project’s potential privacy impacts and whether a privacy impact assessment should be undertaken.Worryingly, the OAIC’s investigation also found that the AFP has not shown any indication that it has taken, or would take, steps to prevent similar breaches from occurring again in the future. This is despite the AFP having already admitted in April last year that it trialled the Clearview AI platform despite not having an appropriate legislative framework in place”Without a more coordinated approach to identifying high privacy risk projects and improvements to staff privacy training, there is a risk of similar contraventions of the Privacy Act occurring in the future,” the OAIC wrote in its determination.”This is particularly the case given the increasing accessibility and capabilities of facial recognition service providers and other new and emerging high privacy impact technologies that could support investigations.”In light of these privacy breaches, the OAIC has ordered the AFP to engage an independent third-party assessor to review its practices, procedures, and systems and write a report about any changes that the AFP must make to ensure its compliance with the Australian Government Agencies Privacy Code.The report of the gaps in AFP’s privacy infrastructure must be written in the next six months, and the AFP must also provide the OAIC with a timeline for implementing any actions set out in the report.The OAIC has also ordered for all AFP personnel that handle personal information to have completed an updated privacy training program in the next 12 months.RELATED COVERAGE More