Information Technology

Cyber criminals are becoming anxious about being tracked down by law enforcement agencies following the high-profile arrests of suspected members of one of the most notorious ransomware groups.  On January 14, Russia’s Federal Security Service (FSB) announced it had detained members of the REvil ransomware gang operating from several regions of the country and dismantled the group’s operations. Previous action by Europol resulted in the arrest of a suspected REvil affiliate near the Polish and Ukranian border. 

ZDNet Recommends

According to analysis of chatter on Dark Web forums by cybersecurity researchers at Trustwave SpiderLabs, the recent arrests, particularly those by Russia, appear to have scared cyber criminals, some of whom appear to be worried that they might be next.  SEE: A winning strategy for cybersecurity (ZDNet special report) Ransomware is one of the biggest cybersecurity issues facing organisations and the wider world today, with a string of incidents demonstrating how such attacks can impact utilities, healthcare, food production and other vital services that people need everyday, while cyber criminals can walk away with huge sums of money when victims give in and pay the ransoms required for a decryption key.    There’s a consensus among cybersecurity experts that many of the major ransomware operations work out of Russia, with the authorities willing to turn a blind eye towards attacks targeting the West. But following arrests throughout the region, some cyber criminals are wondering if the risk is worth it.  “This is a big change. I have no desire to go to jail,” wrote one forum member. 

“In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” said another.  There’s even concern that administrators of the dark web communities – who would have details about their users – could be coerced into working for law enforcement following arrest.  Such is the paranoia among some forum members and ransomware affiliates that they suggest moving operations to a different jurisdiction, although this is unlikely to be a realistic option for many.  “Those that are seasoned in cybercrime understand that by moving outside of Russia, they’ll be taking on an even greater risk of being arrested by international law enforcement agencies. These agencies that are keeping tabs on cyber criminals will be watching for such potential moves,” Ziv Mador, VP security research at Trustwave SpiderLabs, told ZDNet.  “Also, there is a large talent pool in Russia already, so more members and affiliates can always be recruited. Recruiting can become more difficult in other geographies. There is a level of trust that is required, and that trust diminishes the further away a prospective member is from ‘home base’,” he added.  SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened  However, while some users are anxious following the arrests, some are less sympathetic, blaming a string of high-profile attacks against major targets in the United States for the unwelcome attention. “It was necessary to think before climbing and encrypting multi-billion-dollar companies, schools, states. With whom did they dare to compete?” one user wrote.  “They climbed everywhere indiscriminately without understanding which country [they were attacking],” said another.  “Some cyber criminals may feel like REvil spoiled the ability to earn a living by attracting too much law enforcement attention and political powers. This kind of activity may have triggered a lack of sympathy by forum members,” said Mador.  
MORE ON CYBERSECURITY More

Most reported Linux “security” bugs actually aren’t Linux bugs. For example, security vendor CrowdStrike’s report on the biggest Linux-based malware families was really about system administration security blunders with telnet, SSH, and Docker, not Linux at all. But, that doesn’t mean Linux doesn’t have security holes.  For example, a new nasty Linux kernel problem has just popped up.  

In this one, there’s a heap overflow bug in the legacy_parse_param in the Linux kernel’s fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem’s characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it’s important.  The legacy_parse_param() “PAGE_SIZE – 2 – size” calculation was mistakenly made an unsigned type. This means a large value of “size” results in a high positive value instead of a negative value as expected. Whoops.  This, in turn, meant you copy data beyond the memory slab allocated for it. And, as all programmers know, writing beyond the memory your program is supposed to have access to is a terrible thing. One big reason why Rust is being incorporated into Linux is that Rust makes this kind of memory mistake much harder to do. As every C developer knows, it’s all too easy to trip over memory allocation in a C program.  So, how bad is it? By the Common Vulnerability Scoring System (CVSS) v3.1 scoring test, it’s a solid 7.7. That’s considered a high-security vulnerability.  A local attacker can use it to escalate their user privileges or crash the system. This can be done with a specially crafted program that triggers this integer overflow. That done, it’s trivial to execute arbitrary code and give the attacker root privileges.

To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that’s the case,  an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker’s system privileges.  Exploiting is not as hard to do as you might think. Its discoverer, Linux kernel developer William Liu reports he created exploits against Ubuntu 20.04 and container escape exploits against Google’s hardened Container-Optimized (COS). This security hole was introduced back on Feb 28, 2019, in the Linux 5.1-rc1 kernel. It’s now present in all Linux kernels. Yes, all of them. Fortunately, the patch is in.   You can also disable it by disabling user namespaces by setting user.max_user_namespaces to with the following shell code on the Red Hat Linux family. echo “user.max_user_namespaces=0” > /etc/sysctl.d/userns.confsysctl -p /etc/sysctl.d/userns.confOn Ubuntu and related distros, you can protect your system with this shellcode:  sysctl -w kernel.unprivileged_userns_clone=0However, keep in mind that you must have namespace available on containerized Linux distros, such as Red Hat OpenShift Container Platform since it needs this functionality enabled. In these circumstances, you’ll need to patch your Linux distro as soon as your distributor makes the patch available. Stay safe, stay patched.
Related stories: More

The Federal Bureau of Investigations (FBI) has detailed evidence connecting the new Diavol ransomware to TrickBot Group, the prolific gang behind the eponymous banking trojan. Diavol hit researchers’ radars in mid-2021 when Fortinet published a technical analysis of Diavol that established some links to Wizard Spider, another name for Trickbot Group, which researchers have also been tracking in connection with the “double extortion” Ryuk ransomware. 

ZDNet Recommends

Ryuk is selectively deployed against high-value targets that are subjected to a double extortion racket, where their data is encrypted, stolen and then potentially leaked unless a ransom is paid.  SEE: A winning strategy for cybersecurity (ZDNet special report)Trickbot’s tools include the Anchor_DNS backdoor, a tool for transmitting data between victim machines and Trickbot-controlled servers using Domain Name System (DNS) tunneling to hide malicious traffic with normal DNS traffic. The FBI has been on to Diavol since October. Its link between Diavol and Trickbot is that the unique bot identifier (Bot ID) generated by Diavol for each victim is “nearly identical” to the format used by Trickbot and Anchor_DNS malware. Once the Bot ID is generated by Diavol, files on that machine are encrypted and appended with the “.lock64″ file extension and the machine displays the ransom message.”Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan,” the FBI said in a new flash note, warning that it has seen extortion demands up to $500,000.

Unlike Ryuk, the FBI has not seen Diavol leak victim data, despite the group’s message containing a threat to do so. Diavol’s ransom note states: “Take into consideration that we have also downloaded data from your network That In case of not making payment will be published on our news website.””Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker,” the FBI said. “While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments.”Although the FBI acknowledges some victims have negotiated down ransoms with Diavol actors, it still discourages agreements since it doesn’t guarantee files will be recovered and advises against payment because it might embolden the attackers and fund future attacks. On the other hand, the FBI expresses sympathy for victims that do negotiate with attackers. “The FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. The FBI may be able to provide threat mitigation resources to those impacted by Diavol ransomware,” it said.SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseThe FBI is also calling on victim organizations to share with it “boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”But providing mitigation resources is different to helping recover paid funds. In Colonial Pipeline’s case, the FBI and Justice Department recovered about half of the extorted funds by using the Bitcoin public ledger to trace the payments back to “a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.” But not every victim organization is a critical infrastructure provider that attracts the attention of the White House, which has since called on the Kremlin to take action against ransomware attacks located in Russia. Russian authorities last week conducted a rare raid against members of REvil, which has links to DarkSide.     More

Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks. 

The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.  On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware — a core element called SPI flash, located on the motherboard. “Due to its emplacement on SPI flash, which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement,” the team noted. Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, but the team also says that the firmware image was “modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.” The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work. “The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices,” the researchers explained. “Those hooks are used to divert the flow of these functions to malicious shellcode that the attackers append to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader.”

“This multistage chain of hooks facilitates the propagation of malicious code from the CORE_DXE image to other boot components during system startup, allowing the introduction of a malicious driver to the memory address space of the Windows kernel.” Kaspersky says that this single patch turned the UEFI firmware “into a highly stealthy and persistent storage for malware in the system” — and one which was made more difficult to detect as there was no need to add new drivers or make further changes.  In addition, the infection chain operates in memory-only, and so there are no traces on the hard drive of the fileless attack.  Kaspersky has not been able to obtain a sample of the payload yet, nor has the team discovered how the initial infection occurred, although it is presumed that the infection was achieved remotely.  However, non-UEFI implants were found on the targeted network, including ScrambleCross/SideWalk malware, which communicated with the attackers’ same infrastructure. Through the analysis of this activity, likely attribution has been possible.  To the best of Kaspersky’s knowledge, APT41 is the advanced persistent threat (APT) group behind the intrusion. The Chinese-speaking APT is a state-sponsored outfit believed to be responsible for widespread attacks against the IT sector, social media companies, telecoms, non-profits, and healthcare.  In terms of the victim organization, in this case, Kaspersky mentioned a target that “corresponds to an organization in control of several enterprises dealing with transport technology.” In September 2020, the US Department of Justice (DoJ) filed charges against five suspected members of APT41. “We can now say that UEFI threats are gradually becoming a norm,” Kaspersky says. “With this in mind, vendors are taking more precautions to mitigate attacks like MoonBounce, for example, by enabling Secure Boot by default. We assess that, in this ongoing arms race, attacks against UEFI will continue to proliferate, with attackers evolving and finding ways to exploit and bypass current security measures.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new cryptocurrency-related scam is abusing the Amazon brand to dupe would-be investors into handing over Bitcoin (BTC). 

Cryptocurrency and digital token scams have become a common threat facing investors and the general public today. Even though regulators worldwide are clamping down on fraud – through tax legislation, securities offering registration, tighter rules surrounding cryptocurrency adverts, and by keeping a close eye on initial coin offerings (ICOs), exit scams, rug pulls, and theft is still rampant.  Interest in cryptocurrency – and now NFTs – continues to escalate, providing a breeding ground for new scams to appear on a daily basis.  Chainalysis estimates that fraudsters received approximately $14 billion in deposits in 2021.  On Thursday, cybersecurity researchers from Akamai Technologies outlined a new, fraudulent campaign that leverages Amazon’s name to promote a fraudulent “Amazon to create its own digital token” scheme.  Generating panic and encouraging victims to make a rash decision are common tactics used in a variety of scams and this is no exception. In the Amazon scheme, the fraudsters have imposed a ‘time-sensitive’ lure to make individuals feel like they could be losing out on a lucrative investment opportunity.

The campaign began by publishing fake social media posts in groups that are interested in the cryptocurrency space. If users clicked on a post, they were directed to a fake “CNBC Decoded” news website that included an article on the soon-to-be-released ‘Amazon crypto token.’The cyberattackers gave visitors roughly 30 seconds to read the fake release before they were automatically redirected to a domain that offered pre-sale tokens. The website in question was fully functional and required signing up, email account confirmation, and user profile creation. 
Akamai Technologies
“The website included social engineering techniques that presented a fake progress bar, indicating tokens were about to sell out, adding pressure to the victim’s purchasing decision,” Akamai says.   At this stage, visitors were asked to then pay for the pre-sale tokens with their own cryptocurrency, including Bitcoin (BTC) and Ethereum (ETH). As the tokens are non-existent, these funds then ended up in the wallets of attackers.  Another lure is also presented – a fake referral program that promises rewards if users refer friends and family. This can expand the reach of the token scam on behalf of the attackers with no further effort on their part.  In total, most of the visitors to the fake token landing pages were using mobile devices (98%). The distribution of mobile operating systems in use is fairly even but leans toward Android handsets (56%), followed by Apple iOS (42%).  The majority of victims are located in North America, South America, and Asia.   “Based on our research, we predict that crypto scams will continue to drive many nefarious activities throughout the 2022 threat landscape,” the researchers commented.  Akamai has reported its findings to Amazon.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Fortune favours Matt Damon.
Image: Crypto.com
After issuing hints at final numbers during the week, Crypto.com has made an official statement on the incident that saw it pause its users’ ability to withdraw funds. The company said on Monday that 483 users were impacted by unauthorised cryptocurrency withdrawals on their accounts. “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the company said. “Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.” At the time of writing, the amount of ether was just shy of $14 million and the fiat value of bitcoin was sitting over $17 million. All up, that put the total figure around the $31 million mark, depending on the volatile prices of cryptocurrency on any given day. Crypto.com explained it saw transactions occurring on early Monday morning UTC, where users’ two-factor authentication was not involved. “Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours,” it said.

“In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.” The company said it has also added a new policy where the first withdrawal to a whitelisted address must wait 24 hours, as well as a program to refund users up to $250,000 if unauthorised withdrawals are made, and certain terms are met. These terms include having multi-factor authentication on all transactions where possible, creating an anti-phishing code at least 21 days prior to the unauthorised withdrawal, users cannot use a jailbroken phone, they must file a police report and send the company a copy, and answer a “questionnaire to support a forensic investigation”. “Terms and conditions may vary by market according to local regulations. Crypto.com will make the final determination of eligibility requirements and approval of claims,” the company said. Related Coverage More

Image: Getty Images
Home Affairs secretary Mike Pezzullo has made clear his intended approach to the reform of Australia’s electronic surveillance laws: Bulldoze everything and start again. We also need “a broader societal discussion about privacy”, he said. Speaking at a seminar organised by the Australian Strategic Policy Institute (ASPI) on Thursday, Pezzullo described the surveillance law reforms now under way as more of a rebuild, not just a renovation. “I’d like to get to a point if we can design the legislation almost as if we are… not just renovating an existing structure, but literally clearing a site, levelling it, understanding what’s in the ground, what all the different conditions are in relation to that site, and building the new structure together,” he said. Pezzullo wants “everyday Australians” to have the confidence that it would be “highly unusual for any of their data, any of their devices, or indeed any of their engagement through their devices with data, to be the subject of surveillance or interception”. He wants to “move hopefully away from a notion, which has crept into the discussion around surveillance, of the mass ingestion of data almost for a ‘store and use it later’ basis”. Dennis Richardson’s 1,300-page review of the national intelligence community’s legislative framework, released in December 2020, recommended a whole new electronic surveillance Act. The aim would be to clean up what has, over four decades, become a tangled mess of laws.

The government agreed, and last month the Department of Home Affairs released a discussion paper outlining this goal: “A consistent approach in terms of thresholds, purposes, safeguards, or accountability” with better privacy protections, and a consistent approach to different communications and data technologies into the future. “[We would like to engage] in a very genuine, deep, consultative process. We really want to hear from experts in the field about the challenges that are discussed in the discussion paper,” Pezzullo said. “How do you get these balances right, almost at a philosophical level, between security and liberty?” Spies will always be “much more restricted” than surveillance capitalism That said, according to Pezzullo, we should be more concerned about what’s being done by commercial operators in the name of so-called surveillance capitalism. “It’s more than passing strange to me … that we shed more of our own personal and sometimes quite intimate data in ways that we probably don’t fully understand or appreciate,” Pezzullo said. “I think the more immediate pressing problem for the citizenry is to actually understand what companies are doing with that personal and sometimes intimate data,” he said. “Everything that government will do will always be purposely designed by the parliament to be much more restricted than that.” Pezzullo’s argument is that commercial operators project their gaze as widely as possible to maximise profits, whereas law enforcement and intelligence agencies are required to limit their attention to people who are lawfully being investigated for serious crimes. “That’s very different, a very different direction from the way in which all of society’s otherwise going,” he said. “We’d very much like to land this legislation as a model exemplar back to the private sector about how to engage in moderated self-restraining surveillance.” Katherine Jones, secretary of the Attorney-General’s Department, says she is “on a unity ticket” with Pezzullo in wanting a wide-ranging consultation process. “Working closely with Home Affairs, we’re able to be engaged as these reforms have been considered, discussed, with stakeholders, designed, and ensure that we can put in absolutely the most effective safeguards that are built into the legislation, but also the most effective oversight mechanisms.,” Jones said. “I think we have a generational opportunity to improve in this space,” she said. “We’ve got an opportunity to do that in a much more embedded-by-design way, rather than the ad hoc way it’s been developed over the last 30 years.” A question of thresholds: Which crimes are ‘serious’? One question which continues to plague Australia’s patchwork of electronic surveillance laws is about the kinds of crimes against which they can be used.As Rachael Falk, CEO of the Cyber Security Cooperative Research Centre, pointed out, the UN’s International Covenant on Civil and Political Rights does have “clear carve outs regarding when privacy can legitimately be a secondary concern”. “These are extreme circumstances — significant national security threats, threat to life, threat to public order — which must be used proportionately to the threat at hand,” Falk told ZDNet. “In such extreme circumstances, privacy, while still vitally important, comes second place to the common good.” But which crimes are “serious”? For example, as your correspondent has previously noted, Australia’s controversial anti-encryption laws can be use for offences “punishable by a maximum term of imprisonment of 3 years or more or for life”. Looking around the various jurisdictions, this could cover such existential national security threats as graffiti, criminal damage, menacing phone calls, or even pranks. The Home Affairs discussion paper does float the options of setting the thresholds at sentences of three years, or five, or seven. But other measures could also be used, such as for when a crime causes serious harm. A key factor here is gaining the public’s trust that the balance is right, something the UK recognised in the report from its own consultation on these issues, A question of trust: report of the investigatory powers review. The report presented a range of case studies which, while not giving away any classified information, explained how and why the powers were used. As Falk told the ASPI seminar, “They [in the UK] go to great lengths to explain the what and the why”. “It’s important that the public have a clear-eyed view,” she said. Home Affairs is accepting public submissions relating to its discussion paper [PDF] until February 11. Assuming the timeline remains the same after the forthcoming federal election, an exposure draft of the legislation would be published before the end of this year, with another round of public consultation before legislation is introduced into parliament some time in 2023. Richardson estimated that the whole process would take two to three years and cost around AU$100 million, with another couple of years to rework IT systems and retrain staff. Related Coverage More

Popular NFT marketplace OpenSea confirmed an outage that affected its API, causing problems for multiple sites that use it to display NFTs. On Thursday, several people took to social media to report issues with their NFTs displaying. MotherBoard was the first to report the outage.An OpenSea spokesperson said the outage occurred at 6:05am PT and by 8:30am PT, the outage was resolved. But their own status update page shows the outage lasted far longer, with programmatic access to the API being fully restored by about 3:30pm PT.OpenSea said the time discrepancy was because they kept their programmatic API disabled while monitoring their fix to ensure site reliability.OpenSea initially told ZDNet that their platform team was “immediately all hands on deck to identify and correct the issue.””We know how important a reliable site with minimal downtime is to our community, and are working quickly to address this area in a number of ways, including expanding our engineering team to more than 200 people by the end of this year, re-architecting OpenSea for scale, and reducing our customer support times significantly,” the OpenSea spokesperson said. The spokesperson added that the NFT ecosystem exploded last year and interest in NFTs skyrocketed. OpenSea’s transaction volume increased over 600x in 2021, according to the spokesperson, who added that the massive increase in user activity prompted “technical growing pains” as they tried to scale rapidly.

Data from tradingplatforms.com shows that NFT global sales surpassed the $4 billion mark over the last 30 days. OpenSea topped the sales charts, handling nearly 500,000 transactions that earned $3 billion in returns. The platforms transactions grew 20%.The OpenSea spokesperson pointed to a blog released two weeks ago from OpenSea CEO Devin Finzer that sought to address the site stability challenges that the platform has experienced over the last few months.”I recognize that the impact of OpenSea downtime is significant for many of you who depend on our platform. We take accountability for the recent instabilities – and I wanted to personally apologize, explain, and outline our plans to prevent this from affecting you in the future,” Finzer said.”Improving site reliability has been a priority for some time (in fact, it’s one of the focus areas I mentioned in our recent funding announcement). We were a team of just seven people at the start of 2021, and as NFTs took off last year, we had to scale fast. That kind of scale comes with growing pains, which many of you have experienced firsthand.”Finzer reiterated what the OpenSea spokesperson told ZDNet, pledging to build out the engineering team, rearchitect OpenSea and reduce customer support times. In October, security firm Check Point Research said that flaws in the OpenSea NFT marketplace could have allowed “hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.”The outage on Thursday occurred on the same day that Twitter announced it would allow some users to use NFTs as their profile picture. More