Information Technology

The federal opposition has reintroduced its ransomware payments Bill, this time to the Senate after the Bill failed to get off the ground in the House of Representatives. The Ransomware Payments Bill 2021, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment was made to a criminal organisation in response to a ransomware attack. The Bill was originally introduced into the lower house in June by Shadow Assistant Minister for Cyber Security Tim Watts, but in a joint statement with Shadow Minister for Home Affairs Kristina Keneally, the pair said the government failed to bring it on for debate.”Minister Andrews says cybersecurity and ransomware are one of her highest priorities, but we’ve seen little in the way of action to reduce the onslaught of attacks against Australian organisations by foreign cyber criminals,” the statement said. “That’s why Labor has been once again forced to show the leadership on cybersecurity that’s been missing since the election of this Prime Minister by introducing this Bill in the Senate.”According to Watts, such a scheme would be a policy foundation for a “coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy, and offensive cyber operations”.The ransom payment notification scheme created by the Bill, Watts said previously, would be the starting point for a comprehensive plan to tackle ransomware. It follows his party in February calling for a national ransomware strategy focused on reducing the number of such attacks on Australian targets.The Bill would require large businesses and government entities that choose to make ransomware payments to notify the ACSC before they make the payment. Watts said such a move would allow Australia’s signals intelligence and law enforcement agencies to collect actionable intelligence on where this money goes so they could track and target the responsible criminal groups.

“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks,” he added.When asked about the Bill shortly after it was introduced, the Home Affairs Minister said she was open to exploring it.”From the government’s perspective, we actually would like businesses to reach out, particularly to ACSC, in the event that they have a ransomware attack or they have other threats,” Andrews said.”[ACSC] is very well placed to be able to support them, but they rely on, in many instances, on businesses reporting or contacting them directly.”I’ve already had some discussions about mandatory reporting of ransomware attacks and my view at this stage is that there are a range of views about that — it’s very mixed in the response — what I want to do over the coming weeks is explore that much more fully.”Backing Labor’s approach before the Parliamentary Joint Committee on Intelligence and Security in July, cybersecurity expert and former United States CISA chief Chris Krebs said it would be useful to compel providers to disclose cybersecurity incidents, including ransomware.”Mandatory reporting for any ransomware victim before they make a payment,” he told the committee. “For ransomware, in particular, we do not know how big this problem is, in fact, probably the only people that know how big it is, are the criminals themselves. And they’re not apparently sharing that with us.”We have to get to the denominator of ransomware attacks and the easiest way to do that is require ransomware victims to make a notification to the government. This is not yet in determination on whether paying ransom itself is illegal, I think that’s a separate conversation, but just at a minimum, if you’re going to be engaging with the transaction, with the ransomware group, that that needs to be notified.”RELATED COVERAGE More

Image: Getty Images/iStockphoto
The New South Wales Police task force for investigating the recent anti-lockdown protests in Sydney, Strike Force Seasoned, have arrested an internet commenter. Police said they have pressed four charges of using a carriage service to menace, harass, offend after arresting a 65-year-old Paddington man on Wednesday who allegedly threatened to harm police horses. “Investigators were alerted to comments posted on the website of a media outlet, which referenced the protest and outlined threats to harm police horses,” Police said. “A short time later, a search warrant was executed at a nearby home, where police seized electronic devices, a computer and mobile phones, which will undergo forensic examination.” The man was refused bail to appear in court on Thursday. Police said they have conducted extensive inquiries into the matter. At the recent protests, a man was arrested after allegedly punching a police horse, and after three weeks in custody, he was granted bail yesterday, ABC reported. Related Coverage More

A variety of COVID-19 vaccine verifications are being sold at increasingly low prices on the dark web, according to a new report from Check Point Research. Researchers found that prices for EU Digital COVID certificates as well as CDC and NHS Covid vaccine cards had fallen as low as $100. Fake PCR COVID-19 tests are also sold widely, and Check Point Research’s study found groups advertising the fake vaccine verifications in groups with more than 450,000 people.  The report attributes the “majority” of these fake vaccine verifications to groups across Europe. A previous report from the company in March found that the price for fake vaccine passports was around $250 on the dark web and that advertisements for the scams were reaching new levels. The researchers now can find fake certificates being sold from groups and people in the US, UK, Germany, Greece, Netherlands, Italy, France, Switzerland, Pakistan and Indonesia. There were many samples of the UK’s NHS certificate as well as the EU Digital COVID Certificate used in multiple countries. A sample of the fake COVID-19 vaccine cards available. 
Check Point Research
Check Point Research reported an “exponential growth in volumes of followers and subscribers to groups and channels offering and advertising COVID-19 certifications and other means to bypass the need to physically get the vaccine.”

“The advertisements specifically state that the seller ‘provide registered vaccine certificates…for all those who don’t want to take the vaccine,'” the report said. “The channels we spotted offer the ‘service’ and even detail it’s actual impact. ‘With our cards you can travel and work.’ The sellers often state that the certificates are ‘verified’ and invite the buyers to take simple steps in order to place an order — all you need to do is ‘let us know what country are you from and what you want.'” The groups offer contact through email, WhatsApp, and Telegram while generally asking for payment through some form of cryptocurrency — mostly Bitcoin, Monero, doge coin and others, according to the report. The groups also accept payment through PayPal. In their advertisements, the groups explicitly include anti-COVID-19 vaccine statements dissuading people from taking it and painting themselves as protecting the world. The report includes statements like “You don’t need to take the jab(vaccine) to have the certificate,” and ‘We are here to save the world from this poisonous vaccine,” as well as “Stay away from the vaccine and be save while we continue this fight.”Check Point Research suggests countries create a secured, internally managed repository that can hold official COVID-19 testing and vaccination data or use things like QR codes to certify vaccine verifications. The spike in demand for fake vaccine passports and cards comes as hundreds of companies are forcing employees and customers to show evidence of COVID-19 vaccination before coming into offices or businesses. Even the US Army announced this week that COVID-19 vaccines will be required.The regulations have set off significant backlash in dozens of countries as anti-COVID-19 vaccine movements gain steam. The Check Point Research cites surveys from France, Germany and the US showing that about 30%-40% of respondents do not plan to take the COVID-19 vaccine despite the recent surge due to the more infectious Delta variant of COVID-19. COVID-19 vaccinations drives have stalled in many Western countries in recent weeks. About 1.3 billion people have been vaccinated against COVID-19, representing more than 15% of the world. Jürgen Stock, INTERPOL Secretary General, said in December that law enforcement needed to be ready to deal with the wave of face vaccines and fake vaccine verifications.  “Criminal networks will also be targeting unsuspecting members of the public via fake websites and false cures, which could pose a significant risk to their health, even their lives,” Stock said. “It is essential that law enforcement is as prepared as possible for what will be an onslaught of all types of criminal activity linked to the COVID-19 vaccine, which is why Interpol has issued this global warning. More

StackCommerce
Cyber threats come from all directions these days. Even if you are using an excellent VPN (and you should!), your online passwords still must have additional protection. Now you can take absolute control of your most sensitive data and provide it with the strongest safeguards. The JEM Biometric Authenticator Device + JEMPass Password Manager Plan will not allow any of it to be decrypted without your JEM device and fingerprint.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

The JEM Biometric Authenticator is an external fingerprint scanner that ensures you are the only one who can access your accounts. It unlocks the encrypted vault of your online passwords that the JEMPass Password Manager protects with cryptographic keys that are generated on your device using up-to-date encryption libraries.The free 1-year JEMPass that comes with the JEM Biometric Authenticator Device stores and secures all of your passwords and seamlessly syncs your accounts across all devices so you can access them with just a single touch. That allows you to effortlessly use the saved password even on devices that are associated with different Google or iCloud accounts.The fingerprint scanner and password manager are compatible with Android and iOS mobile devices, as well as Windows 10 PCs that are equipped with Bluetooth Low Energy (BLE) support. They can be used with Chrome, Firefox, Edge, macOS Safari, and Chromium browsers such as Vivaldi and Brave.There’s no question that the combination of JEM’s Biometric Authenticator Device and JEMPass Password Manager Plan is effective. You will find it placed on the list of Best Security & Surveillance Biometrics that Gist Gear compiled just last month.Protect your passwords with the added security of end-to-end encryption and an external fingerprint scanner. Get JEM Biometric Authenticator Device + JEMPass Password Manager Plan today while it’s on sale for only $109.99, a 14% discount off the $129 MSRP.

ZDNet Recommends More

The hacker behind the largest decentralized finance platform hack in history returned much of what they stole on Wednesday, sending back approximately $260 million of the more than $600 million in cryptocurrency that was taken. In a statement, Poly Network — a “DeFi” platform that works across blockchains — said the unknown culprit behind the attack has so far returned $256 million in BSC, $1 million from Polygon and $3.3 million in Ethereum. Poly Network noted that there is still $269 million in Ethereum as well as $84 million in Polygon that needs to be returned. The company attributed the attack to a vulnerability that was exploited concerning contract calls. The exploit “was not caused by the single keeper as rumored,” Poly Network added. Researchers online tied the attack to a Poly Network privileged contract called the “EthCrossChainManager.”

In addition to returning the money, the hacker included a three part Q&A where they explained some of their reasoning. The attacker — in a post shared by Elliptic co-founder Tom Robinson — said they found a bug in Poly Network’s system and contemplated what to do from there, eventually deciding to steal the money available and transfer it to another account. They tried to paint their actions as altruistic and said they were trying to expose the vulnerability before it was exploited by “an insider.” They claim to be completely protected because they used anonymous email addresses and IPs.”The Poly Network is a decent system. It’s one of the most challenging attacks that a hacker can enjoy. I had to be quick to beat any insiders or hackers,” the attacker said. 

“I didn’t want to cause real panic of the crypto world. So I chose to ignore shit coins, so people didn’t have to worry about them going to zero. I took important tokens (except for Shib) and didn’t sell any of them.”They eventually began to sell or swap stablecoins because they were unhappy with how Poly Network responded to the attack. “They urged others to blame and hate me before I had a chance to reply!” the attacker explained, adding that they turned to the stablecoins because they wanted to earn interest on the stolen money while they negotiated with Poly Network. “I am not very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?” they said. The culprit noted that they were moving slowly in returning the money because they needed rest, needed more time to negotiate with Poly Network and needed to “prove” their dignity while hiding their identity. The statement goes on to say that the attacker wants to help Poly Network with its security because of its importance to the cryptocurrency industry. “The Poly Network is a well designed system and it will handle more assets. They have got a lot of new followers on Twitter right?” the statement said. “The pain they have suffered is temporary but memorable.”The audacious attack sent shockwaves through the blockchain and cryptocurrency communities as Poly Network sought to respond. The company works across blockchains for Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain.The hacker has been slowly returning the money since Poly Network released a statement threatening the culprit on Tuesday. The company begged the hacker to return the money.”The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursed,” the Poly Network team said. “It is very unwise for you to do any further transactions. The money stole are from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution. We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses.”The company appealed to miners across affected blockchain and crypto exchanges like Binance, Tether, Uniswap, HuobiGlobal, OKEx, Circle Pay and BitGo to blacklist any tokens coming from these addresses.Tether CTO Paolo Ardoino said the platform froze about $33 million in connection to the hack. Hank Schless, senior manager at Lookout, told ZDNet that DeFi has “become a primary target for cybercriminals” and a recent report from CipherTrace found that attacks on DeFi caused an all-time high number of losses for the first half of 2021. The DeFi community saw a record loss of $474 million between January and July this year thanks to cybercriminals. The attack on Poly Network is bigger than other headlining cryptocurrency attacks like the $550 million hack of Coincheck in 2018 and the $400 million Mt. Gox hack in 2014.  More

Billion-dollar tech services firm Accenture is downplaying an alleged ransomware attack that the Lockbit ransomware group announced on Tuesday night. 

ZDNet Recommends

Accenture was listed on the group’s leak site next to a timer set to go off on Wednesday. The ransomware group added a note that said, “These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.” Also: Hackers take $600m in ‘biggest’ cryptocurrency theftIn a statement to ZDNet, an Accenture spokesperson downplayed the incident, saying it had little impact on the company’s operations. Accenture brought in more than $40 billion in revenue last year and has over 550 000 employees across multiple countries. “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up,” the company said.  “There was no impact on Accenture’s operations or on our clients’ systems.” A screenshot of the Lockbit ransom page. 
CyberKnow
Many online similarly questioned the amount of data taken during the ransomware attack and noted how unlikely it would be for it to come from an Accenture insider, considering how easy it would be to trace the attack. 

Accenture did not respond to questions about whether it was an insider attack and when the attack may have occurred.  A cybercrime intelligence firm called Hudson Rock reported on Twitter that about 2,500 computers of employees and partners were compromised in the attack while another research firm, Cyble, claimed to have seen a ransom demand of $50 million for about 6 TB of stolen data. BleepingComputer later reported that Accenture had already communicated with one CTI vendor about the ransomware attack and will notify others. In a report from Accenture itself last week, the company said it found that 54% of all ransomware or extortion victims were companies with annual revenues between $1 billion and $9.9 billion. Accenture provides a range of services to 91 of the Fortune Global 100 and hundreds of other companies. IT services, operations technology, cloud services, technology implementation and consulting are just a few of the things the Ireland-based company offers customers. In June, the company purchased German engineering consulting firm Umlaut to expand its footprint into the cloud, AI and 5G while also acquiring three other tech companies in February.  The Australian Cyber Security Centre released an advisory on Friday noting that after a small dip in operations, the Lockbit ransomware group had relaunched and has ramped up attacks.  Members of the group are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks, the advisory said.  “The ACSC is aware of numerous incidents involving LockBit and its successor ‘LockBit 2.0’ in Australia since 2020. The majority of victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants,” the release added.  “The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail and food.” In June, the Prodaft Threat Intelligence team published a report examining LockBit’s RaaS structure and its affiliate’s proclivity toward buying Remote Desktop Protocol access to servers as an initial attack vector.  The group generally demands an average of $85 000 from victims, and about one third goes to the RaaS operators. More than 20% of victims on a dashboard seen by Prodaft researchers were in the software and services sector.  “Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group,” Prodaft said. UPDATE: After the timer went off on Wednesday afternoon, the group released the files it stole. There was no sensitive information in the leak and it was mostly made up of Accenture marketing material. The group has since reset the timer for Aug 12, 20:43 UTC, implying they may have more documents to leak.  More

A sophisticated fraud scheme using compromised emails and advance-payment fraud has been uncovered by authorities. The fraud was run by what Europol describes as a “sophisticated” organised crime group which created fake websites and fake email addresses similar to legitimate ones run by retailers and suppliers. Using these fake accounts, the criminals tricked victims into placing orders for goods and requested payment in advance.However, there never were any goods, so deliveries never took place – instead the stolen money was laundered through Romanian bank accounts controlled by the criminals before being withdrawn at ATMs. The 23 suspects have been charged following simultaneous raids by police in the Netherlands, Romania and Ireland. They’re believed to have defrauded companies in at least 20 countries across Europe and Asia out of a total of €1 million. The group is suspected to have been running for several years, offering fictitious items for sale, such as wooden pellets. But last year the group switched how it operated and offered fictional items relating to the COVID-19 pandemic, including protective equipment. SEE: A winning strategy for cybersecurity (ZDNet special report) Europol’s European Cybercrime Centre (EC3) aided national investigators in the Netherlands, Romania and Ireland, as well as deploying cyber crime experts to help with raids. 

Business Email Compromise attacks are one of the most lucrative forms of cyber crime for internet fraudsters – in 2019, the FBI listed BEC as the cyber crime with the highest amount of reported losses, accounting for $1.77 billion. Overall, it costs businesses much more than ransomware. To help prevent falling victim to Business Email Compromise attacks, Europol recommends that people should be wary of unsolicited contact from a seemingly senior official, or requests which don’t follow the usual company procedures – especially if the request is supposedly urgent or confidential. Organisations can also create barriers against falling victim to BEC by ensuring that wire transfers are subject to approval from multiple people to help increase the chance of fraud being spotted. MORE ON CYBERSECURITY More

Yesterday the Poly Network, which specialises in cryptocurrency transfers on the Binance, Ethereum and Polygon blockchains, announced that it had been attacked and assets transferred to hackers.It tweeted: Important Notice: We are sorry to announce that #PolyNetwork was attacked on @BinanceChain, @ethereum and @0xPolygonAssets had been transferred to hacker’s following addresses: ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 and BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71. It asked miners of affected blockchain and crypto exchanges such as Binance, HuobiGlobal, OKEx, Tether, BitGo, Uniswap and Circle Pay, amongst others, to blacklist tokens coming from these addresses. Poly Network said that the hacker had “exploited a vulnerability between contract calls” — where a contract can modify the keeper of a contract and execute a transaction. Estimates of funds held in wallets say that the loss was in excess of $600 million.Twitter user @kelvinfichter explained how the hack actually worked. Blockchain ecosystem security company Slow Mist tweeted that a total of over $610 million US was transferred to three addresses. It considers that the attack was likely to be “long-planned, organized and prepared”.

The Poly Network later broadcast an open message to the hacker saying ” The amount of money you hacked is the biggest on in the defi (decentralised finance) history”.

It added, “Law enforcement in any country will regard this as a major economic crime, and you will be punished”. Decentralised Finance (DeFi) aims to cut out third parties such as brokerages or exchanges. Poly Network has asked for the return of the funds and tweeted the addresses that the funds are to be returned to. Paolo Ardoino tweeted that Tether had frozen $33 million as part of the hack.Today Poly Network indicated that cash might be returning. It tweeted a screenshot of a transaction with a comment for the alleged hacker.Update: you can view the entire conversation and refund update in this Google doc linked from @LX2025This is not the first time that hackers have allegedly stolen Bitcoin. In February, legal proceedings began against Bitcoin developers after the theft of Bitcoin in 2020. As legal processes ramp up across the world and lawyers aim to recover different lost or stolen assets, there seem to be fewer places for hackers to hide as new legislation is adopted.The Bitcoin SV network, which recently tweeted that gigabyte blocks were mined on the public blockchain, was subjected to a series of block-reorganisation attempts in July and early August that attempted to double-spend BSV coins. The network recommended that node operators mark the chain as invalid to “lock the attacker’s fraudulent chain out.”The EU proposal that addresses improved detection of money laundering and terrorism financing in the Union will require ‘digital currency service providers to apply for licences, and anonymous digital currency asset accounts will be banned.’ The US’ Infrastructure Bill proposal requires ‘brokers’ in the digital currency industry to collect information on and report customers’ tax obligations to the government.So is any version of Bitcoin safe? With potential cross-chain vulnerabilities occurring as relay chains and cross-chain bridges make it easier to move assets across blockchain, penetration testing and checking become ever more important. Hacks like this in an Ethereum contract demonstrate how vulnerable smart contracts can be. Miners running smaller nodes — the very ethos of DeFi — become more exposed to vulnerabilities like this, whereas miners running large mining nodes clusters have the resources and budget to carry out extensive testing and mitigation when potential hacks occur. Will this be the largest hack ever, or will other vulnerabilities expose even larger amounts of money being moved to other blocks before being transferred out of blockchain currency exchanges? Hopefully, this wake-up call will have developers making sure that their code is impenetrable — whichever version of the contract is used. More