Information Technology

BLACK HAT USA: The adoption of double-extortion attacks against companies in ransomware campaigns is a rising trend in the space, researchers warn.

Ransomware variants are typically programs that aim to prevent users from accessing systems and any data stored on infected devices or networks. After locking victims out, files and drives will often be encrypted — and in some cases, backups, too — in order to extort a payment from the user. Today, well-known ransomware families include WannaCry, Cryptolocker, NotPetya, Gandcrab, and Locky. Ransomware now seems to make the headlines month-on-month. Recently, the cases of Colonial Pipeline and Kaseya highlighted just how disruptive a successful attack can be to a business, as well as its customers — and according to Cisco Talos, it’s likely to only become worse in the future. In 1989, the AIDS Trojan — arguably one of the earliest forms of ransomware — was spread through floppy disks. Now, automated tools are used to brute-forcing internet-facing systems and load ransomware; ransomware is deployed in supply-chain attacks, and cryptocurrencies allow criminals to more easily secure blackmail payments without a reliable paper trail.As a global issue and one that law enforcement struggles to grapple with, ransomware operators may be less likely to be apprehended than in more traditional forms of crime — and as big business, these cybercriminals are now going after large companies in the quest for the highest financial gain possible. At Black Hat USA, Edmund Brumaghin, research engineer at Cisco Secure said the so-called trend of “big game hunting” has further evolved the tactics employed by ransomware operators. 

Now big game hunting has gone “mainstream,” Brumaghin says that cyberattackers are not deploying ransomware immediately on a target system. Instead, such as in the example of typical SamSam attacks, threat actors now, more often, will obtain an initial access point through an endpoint and then move laterally across a network, pivoting to gain access to as many systems as possible. 
Cisco Talos
“Once they had maximized the percentage of the environment that was under their control, then they would deploy the ransomware simultaneously,” Brumaghin commented. “It’s one of those types of attacks where they know that organizations may be forced to pay out because of instead of a single endpoint being infected, now, 70 or 80 percent of server-side infrastructure is being impacted operationally at the same time.” After a victim has lost control of their systems, they are then faced with another problem: the emerging trend of double-extortion. While an attacker is lurking on a network, they may also rifle through files and exfiltrate sensitive, corporate data — including customer or client information and intellectual property — and they will then threaten their victims with its sale or a public leak. “Not only are you saying you only have X amount of time to pay the ransom demand and regain access to your server, if you don’t pay by a certain time, we’re going to start releasing all of this sensitive information on the internet to the general public,” Brumaghin noted.This tactic, which the researcher says “adds another level of extortion in ransomware attacks,” has become so popular in recent years that ransomware operators often create ‘leak’ sites, in both the dark and clear web, as portals for data dumps and in order to communicate with victims. According to the researcher, this is a “one-two-punch” method that is made worse now that ransomware groups will also employ Initial Access Brokers (IABs) to cut out some of the legwork required in launching a cyberattack.IABs can be found on dark web forums and contacted privately. These traders sell initial access to a compromised system — such as through a VPN vulnerability or stolen credentials — and so attackers can bypass the initial stages of infection if they are willing to pay for access to a target network, saving both time and effort. “It makes a lot of sense from a threat actor’s perspective,” Brumaghin said. “When you consider some of the ransom demands we’re seeing, in a lot of cases, it makes sense to them instead of trying to go through all the effort [..] they can simply rely on initial access brokers to give them access that has already been achieved.”Finally, Cisco’s security team has also noted an uptick in ransomware ‘cartels’: groups that sharing information and working together to identify the techniques and tactics that are most likely to result in revenue generation. Brumaghin commented: “We’re seeing a ton of new threat actors begin to adopt this business model and we continue to see new ones emerge, so it’s something organizations really need to be aware of.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

CISA director Jen Easterly announced a new cyberdefense collaborative that will see government bodies partner with Google, Microsoft, Verizon and more on protective cybersecurity measures.Easterly unveiled the initiative in an interview with the Wall Street Journal before speaking about it further at the Black Hat convention on Thursday. The newly-appointed head of CISA told the newspaper that the Joint Cyber Defense Collaborative (JCDC) will “uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime.”Easterly explained on Twitter that the JCDC will “share insight to shape our understanding of cyber defense challenges and opportunities, design whole-of-nation cyber defense plans to address risks, support joint exercises to improve cyber defense operations and implement coordinated defensive cyber operations.”On its website, the JCDC described its mission as leading “the development of the Nation’s cyber defense plans” as it seeks to “prevent and reduce the impacts of cyber intrusions.”They explain that the $740 billion National Defense Authorization Act (NDAA) of 2021 passed on January 1 gave them “new authority” to bring together both public and private institutions to coordinate responses to cyberattacks. Representatives from DHS, the Justice Department, United States Cyber Command, NSA, FBI as well as the Office of the Director of National Intelligence will be involved in the initiative.

Private sector companies involved in the effort include Google, Verizon, Microsoft, AT&T, Amazon Web Services, FireEye, Lumen, Crowdstrike and Palo Alto. Google Cloud CISO Phil Venables told ZDNet it is essential that the public and private sectors work together to defend against evolving threats and shore up modern IT capabilities that will protect federal, state and local governments. “We look forward to working with CISA under the Joint Cyber Defense Collaborative and offering our security resources to build a stronger and more resilient cyber defense posture,” Venables said. Shawn Henry, president of CrowdStrike Services and CSO, added that the JCDC will “create an inclusive, collaborative environment to develop proactive cyber defense strategies.””Continued collaboration between industry and government is critical to thwart today’s sophisticated attacks, and CISA’s initiative to bring the most relevant stakeholders together to defend national security is admirable. CrowdStrike is looking forward to partnering on this critical endeavor,” Henry said. An image of the partnership shared by CISA director Jen Easterly
Jen Easterly/Twitter
“The JCDC leads the development of the Nation’s cyber defense plans by working across the public and private sectors to unify deliberate and crisis action planning, while coordinating the integrated execution of these plans,” the collective explained.”The plans will promote national resilience by coordinating actions to identify, protect against, detect, and respond to malicious cyber activity targeting U.S. critical infrastructure or national interests.”JCDC will also coordinate with state level officials and other owners and operators of critical information systems. They added that “comprehensive, whole-of-nation planning” will be needed to address the wave of cybersecurity incidents facing organizations. In addition to defensive measures, the JCDC said it would also plan for “adaptive” cyber defense to deal with “adversary activity conducted in response to US offensive cyber operations.”The JCDC is one of many actions being taken by the Biden Administration to address ransomware attacks and many other headline-grabbing attacks in recent months. In addition to the new mandatory guidelines facing critical infrastructure owners, the JCDC will coordinate with them to “support the development of long-term plans to manage cyber risk and increase resilience of critical infrastructure.”During her speech at Black Hat, Easterly thanked US Senator Angus King, Congressman Mike Gallagher and the other leaders of Congress’ Cyberspace Solarium Commission for their help in setting up the JCDC. Easterly was confirmed by Congress on July 12 following a decorated career in the military. She spent more than 20 years working on the US Army’s intelligence and cyber operations and is credited with helping design and create United States Cyber Command.  More

Risk Based Security has released two new reports covering data breaches and vulnerabilities in the first half of 2021, finding that there was a decline in the overall number of reported breaches but an increase in the amount of vulnerabilities disclosed. The company’s data breach report found that there were 1,767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year. The number of reported breaches grew in the US by 1.5% while 18.8 billion records were exposed year to date, a 32% decline compared to the 27.8 billion records leaked in the first half of 2020. Inga Goddijn, executive vice president at Risk Based Security said the methods used by attackers to monetize their efforts has diversified and at the same time, preventable errors are outpacing hackers when it comes to the amount of data exposed. “The amount of data compromised remains stubbornly high and with another sizable Q2 breach yet to be confirmed, it is possible that the number will climb over 19 billion in the near future,” Goddijn said. The numbers are slightly misleading though, the report notes, because the breach of Forex trading service FBS Markets accounts for about 85% of the records exposed through June 30th. The researchers added that 352 data breaches involved a ransomware attack.

The number of email addresses leaked held steady at 40% of all breaches while passwords were leaked in 33% of breaches. Healthcare organizations led the way with the most breaches in 2021 so far at 238. Finance and insurance companies suffered 194 breaches while manufacturing saw 169 and educational institutions dealt with 138.  The other report found from Risk Based Security’s VulnDB(R) team aggregated 12,723 vulnerabilities that were disclosed during the first half of 2021. They found that for the first half of 2021, the number of vulnerabilities disclosed grew by 2.8% compared to 2020.”Of the vulnerabilities disclosed during the first half of 2021, 32.1% do not have a CVE ID, and an additional 7%, while having a CVE ID assigned, are in RESERVED status which means that no actionable information about the vulnerability is yet available in CVE/NVD,” the report added. “In the first half of 2021, Risk Based Security’s VulnDB team aggregated an average of 80 new vulnerabilities per day. Risk Based Security also updated an average of 200 existing vulnerability entries per day as new solution information, references, and additional metadata became available.”Of the vulnerabilities disclosed so far in 2021, 1,425 are remotely exploitable and have a public exploit as well as a mitigating solution. Nearly 900 vulnerabilities that are remotely exploitable do not have a mitigating solution at all.One issue spotlighted by the report is the trend of organizations failing to report breaches.The COVID-19 pandemic shifted focus away from cybersecurity and there has now been a 24% decline in the number of publicly disclosed breaches when comparing data from the first half of 2020 to the first half of 2021. Despite the decline in disclosed breaches, the number of sensitive files exposed continues to grow. Between January 2021 and June 2021, more than 18 billion sensitive or confidential records were exposed, the second highest ever recorded by Risk Based Security. Of the data lost in breaches, 61% involved the exposure of names, 38% exposed social security numbers, 25% contained addresses and 22% had financial information. The reports also ranked the top ten products by vulnerability disclosures in Q2 of 2021. Debian Linux led the way with 628 followed by Fedora at 584, openSuSE Leap at 526 and 443 for Ubuntu. The top ten vendors by vulnerability disclosures in Q2 2021 included Microsoft at 627, SUSE at 590, Fedora at 584, IBM at 547 and both Oracle and Google above 500. Cisco, Canonical and Red Hat rounded out the list with more than 400 vulnerability disclosures in Q2 2021.  More

(Image: Shutterstock)
Microsoft’s Edge Vulnerability Research (VR) team is testing a new feature they’ve christened, “Super Duper Secure Mode” (SDSM). Super-Duper Secure Mode is all about making Edge more secure without negatively impacting performance.

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patching but privacy is another matter for the online ad giant.

Read More

SDSM works by removing Just-In-Time compilation from the V8 processing pipeline, which will reduce the attack surface that can be used to hack into Edge’s systems, as Bleeping Computer (where I first saw the SDSM information) explains. In addition to disabling the JIT, SDSM enables “new security mitigations” to make Edge a more secure browser. “JavaScript plays a key role in any browser story. JITs exist for a reason, and that is to optimize JavaScript performance,” the Microsoft browser researchers noted in their August 4 blog post about SDSM. However, so far, the researchers said they don’t see much of a change in performance with JIT disabled; most of their tests remained unchanged. By disabling the JIT, roughly half of the V8 bugs that must be fixed would be removed. This would mean less frequent security updates and fewer emergency patches for users, the researchers noted. SDSM is still considered to be in the experimental stage. Still, Edge preview testers — in the Canary, Dev and Beta rings — can enable it now with a flag by going to edge://flags/#edge-enable-super-duper-secure-mode and turning on the new feature. More

The new Google Nest Cam lineup. 
Google
Google on Thursday unveiled several new security cameras that are part of its Nest smart home lineup. There’s a new video doorbell, a floodlight camera to help you monitor your driveway or a dark side of your home, and two new Nest Cams — one that’s battery-powered and designed for use anywhere — and another that’s designed to monitor inside your home.  More

BLACK HAT USA: We need to be wary of mobile devices and IoT products, now widely abused to facilitate partner coercion, researchers have warned. 

Black Hat USA

At the Black Hat cybersecurity conference in Las Vegas this week, Lodrina Cherne, Principal Security Advocate at Cybereason and Martijn Grooten, consultant and coordinator at the Coalition Against Stalkerware said that the COVID-19 pandemic has prompted a surge in the use of stalkerware in intimate partner violence (IPV) and gender-based violence. The Coalition Against Stalkerware defines stalkerware as software, made available directly to individuals, that enables a remote user to monitor the activities on another user’s device without consent and without “explicit, persistent notification to that user in a manner that may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence.” Mobile applications and PC monitoring software come straight to mind. Unlike spyware, which may be employed to monitor indiscriminately or by government agencies and law enforcement investigations, stalkerware is generally used by individuals.Such software can be used to remotely monitor and eavesdrop on phone calls, SMS messaging, Voice over IP (VoIP) applications, GPS/location data, messaging and social media apps, and to steal images and video from an infected device. It is often the case that stalkerware is installed through physical access to a handset. However, malicious SMS messages or phishing emails may also be the infection vector, although remote installation in stalkerware is rare, Cherne noted. “They are not hidden from a forensic practitioner,” Cherne commented. “But they are hidden from the user.”

According to the duo, stalkerware is most common on Android mobile devices, whereas this form of malware is most often detected on jailbroken, unpatched, or older iOS handsets. Desktop PC stalkerware also exists, although it is not as prolific.

This malware may be marketed as employee or children monitoring services and for ‘good’ and ‘ethical’ purposes — but as it is so often hidden, stealthy, and doesn’t require continual consent, can be used in IPV or to abuse others and violate their privacy. Using technology to intimidate, spy on, or abuse someone, however, now can go beyond mobile apps. As noted by the security experts, Internet of Things (IoT) devices including Bluetooth/possession trackers, shared social media accounts, and other smart technology, for example, home security cameras, are also ripe for abuse. Even remote-controlled devices such as smart thermostats or lights, too, could be used to demonstrate power over another and can be “intimidating,” according to Grooten.According to a WESNET survey conducted in Australia, 99.3% of domestic violence practitioners have clients who have experienced technology-facilitated abuse — and the use of video cameras for this purpose, alone, has increased by 183.2% between 2015 and 2000.”Tech abuse rarely involves hacking, it instead exploits a feature of the technology — they are rarely built with IPV in mind,” Grooten added.In the United States, the Stalking Prevention Awareness & Resource Center (SPARC) says that one in four individuals experiencing domestic abuse report that technology was used in some manner. 

ZDNet Recommends

While survivors may be “hyper-vigilant,” as they have had to be to endure IPV, the suspicions or belief they are being spied upon through stalkerware should not be dismissed. “Survivors should always be taken seriously to empower them,” Grooten said. “Don’t make decisions on their behalf and try to be supportive [..] understand that this is an abuse problem, not a technical problem.” Founded in 2019, the Coalition Against Stalkerware is a group of non-profit organizations, security advocates, and cybersecurity companies working together to fight stalkerware and other forms of technological abuse in domestic violence and coercive relationships.  Participants include F-Secure, the Electronic Frontier Foundation (EFF), Kaspersky, Malwarebytes, National Network to End Domestic Violence (NNEDV), and others. Interpol also supports the scheme.  “In recent years, the problem of stalkerware has been on the rise globally,” the coalition says. “Non-profit organizations report a growing number of survivors are seeking help with stalkerware, and cybersecurity companies are detecting a consistent increase in these harmful apps.” For further information and advice, check out the coalition’s guide video below, or check out our in-depth guide here:

[embedded content]

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security researchers have put the spotlight on a little-known but growing group of people who make up a significant part of the cyber-criminal ecosystem, even though some of them may not even be aware that they’re actually taking part in illegal activities. A collaborative research project by Czech Technical University in Prague, plus cybersecurity companies GoSecure and SecureWorks, analyzed the activities of people on the fringes of cybercrime, those behind projects like building the websites that end up being used for phishing attacks, affiliate schemes to drive traffic towards compromised or fake websites or writing the code that ends up in malware. 

The people behind these projects are doing it because it’s an easy way to make money. But by doing this work, they’re laying the foundations for cyber criminals to carry out malicious campaigns.SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) The research, titled The Mass Effect: How Opportunistic Workers Drift into Cybercrime and presented at Black Hat USA, has its origins in analysis by Czech Technical University that revealed the inner-workings of Geost, a botnet and Android malware campaign that infected hundreds of thousands of users, which allowed researchers to examine chat logs of some of those involved. They were able to trace people in these chat logs to online forums and other discussion platforms and gain an insight into what motivates them.”We started to understand that, although they were involved in spreading malicious applications, they weren’t necessarily the mastermind behind it, but rather the informal workers, those who work on small gigs,” said Masarah Paquet-Clouston, security researcher at GoSecure. 

But while these people are at the bottom of the hierarchy, they’re performing useful tasks for cyber criminals who use the websites and tools they build for malicious activities, including phishing and distributing malware.  “They are trying to earn a living and maybe crime is paying better so they go there, they drift into crime and come and go,” said Sebastian Garcia, assistant professor at Czech Technical University, who argues that more attention needs to be paid to the people who dance the line between cybercrime and legal activity. “There is a mass of people in these public forums that the security community is not looking into, but these are the support, these are the people doing the majority of the work, building web pages for phishing emails, APKs, the encryption, the malware, the money mules,” he said. SEE: Cybersecurity: Why a culture of silence and driving mistakes underground is bad for everyoneIf we always focus on ‘motivated offenders’, the masterminds who actually thought of building the botnet and making money through all of this, we forget the workers, warned Paquet-Clouston. “We as a community often forget that there are many people involved, but they’re not necessarily highly motivated people but rather just those who end up doing the activity,” she said. However, this doesn’t necessarily mean that the people involved in these schemes should be treated as if they’re criminal masterminds, particularly when some may not even know that their skills are being exploited to aid cybercrime.  In fact, it could be possible to provide many of these people with opportunities to use their skills in a way that’s beneficial, rather than using them to help cybercrime. “There is a lot of people that, maybe given the correct opportunity, they don’t have to drift into crime,” said Garcia. MORE ON CYBERSECURITY More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended the passage of the so-called “hacking” Bill that will afford three new computer warrants to two Australian law enforcement bodies, providing its 33 other recommendations are met.The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) the new warrants for dealing with online crime.The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.The last warrant is an account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.The Bill has been criticised for its “wide-ranging” and “coercive” powers by the Office of the Australian Information Commissioner (OAIC), human rights lawyers have asked the Bill be re-drafted, and the likes of Twitter have labelled parts of the proposed Bill as “antithetical to democratic law”.After considering all the submissions made and testimonies provided on the Bill, the PJCIS in its report [PDF] has called for some tweaks, such as amending the Bill to provide additional requirements on the considerations of the issuing authority to ensure the offences are reasonably serious and proportionality is maintained.

“The effect of any changes should be to strengthen the issuing criteria and ensure the powers are being used for the most serious of offending,” it added.The committee wants the issuing authority for all of the new powers introduced by the Bill, including emergency authorisations, to be a superior court judge, either of the Federal Court or a state or territory Supreme Court, except for account takeover warrants which may be granted by an eligible Judge as law according to the Surveillance Devices Act 2004.The issuing authority, PJCIS asked, must give consideration to third parties, specifically their privacy, and to privileged and journalistic information.It wants the Bill amended so that, in order to provide an emergency authorisation for disruption of data held in a computer, an authorising officer must be satisfied that that there are no alternative means available to prevent or minimise the imminent risk of serious violence to a person or substantial damage to property and that they consider the likely impacts of the proposed data disruption activity on third parties.In addition, the committee said the Bill should be amended so that, where an issuing authority declines to retrospectively approve an emergency data disruption authorisation, the issuing authority may require the AFP or ACIC to take remedial action, including financial compensation.See also: Intelligence review recommends new electronic surveillance Act for AustraliaThe OAIC previously testified the definition of a “criminal network of individuals” has the potential to include a significant number of individuals, including third parties not the subject or subjects of the warrant who are only incidentally connected to the subject or subjects of the warrant.To remedy that, the PJCIS has asked the definition under the network activity warrant require there to be a reasonable suspicion of a connection between the suspected conduct of the individual group member in committing an offence or facilitating the commission of an offence and the actions or intentions of the group as a whole.Where applying for authorisation is concerned, the committee wants changes made to reflect that only an AFP or ACIC law enforcement officer can apply for a data disruption warrant or an account takeover warrant. The person must also be approved, in writing, by either the AFP Commissioner or ACIC CEO to apply for data disruption warrants, and the relevant agency head must also be satisfied that person possesses the requisite skills, knowledge, and experience to make warrant applications.Further amendments requested include that the individual must make a sworn affidavit setting out the grounds of an application for an account takeover warrant.The PJCIS has asked the issuing criteria for each of the warrants require satisfaction that the order for assistance, and not just the disruption of data, is “reasonably necessary to frustrate the commission of the offences that are covered by the disruption warrant; and justifiable and proportionate, having regard to the seriousness of the offences that are covered by the disruption warrant and the likely impacts of the data disruption activity on the person who is subject to the assistance order and any related parties”.It wants it made clear that decisions under the Bill are not excluded from judicial review.The PJCIS wants the Bill to impose a maximum period for a non-emergency mandatory assistance order to be served and executed, and asked that if the order is not served and executed within that period, the order will lapse and a new order must be sought.It also wants all applications for a non-emergency mandatory assistance order to be made in writing and for the AFP and the ACIC, unless absolutely necessary, to be prohibited from seeking a non-emergency mandatory assistance order in respect of an individual employee of a company.Further amendments include the Bill making it clear that no mandatory assistance order can ever be executed in a manner that amounts to the detention of a person, and that the Bill introduce immunity provisions for both assisting entities and those employees or officers of assisting entities who are acting in good faith with an assistance order.The AFP and ACIC, the committee said, should also be required to notify the Commonwealth Ombudsman or the Inspector-General of Intelligence and Security (IGIS) as soon as reasonably practicable if they cause any loss or damage to other persons lawfully using a computer. Similarly, the PJCIS wants any computers that have been removed from premises under a data disruption warrant or a network activity warrant required to be returned to as soon as reasonably practicable.Elsewhere, PJCIS has requested an amendment to allow it to conduct a review of the three warrants no less than four years from when the Bill receives Royal Assent. It also wants each of the new powers to sunset five years from the date on which the Bill receives Royal Assent.The final recommendation, recommendation 34, simply states: The committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be passed, subject to the amendments outlined above.MORE ON THE HACKING BILL More