Information Technology

US President Joe Biden signed a memorandum on Tuesday concerning the cybersecurity of the Defense Department and the country’s intelligence agencies, sketching out exactly how an executive order he signed in May 2021 will be implemented. 

Government

“This NSM requires that, at minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration’s work to protect our Nation from sophisticated malicious cyber activity, from both nation-state actors and cybercriminals,” the White House said. The memorandum goes into detail about how the executive order applies to national security systems and provides timelines for implementing things like multifactor authentication, encryption, cloud technologies, and endpoint detection services. Within two months of the memorandum, the head of each executive department or agency that owns or operates an NSS is required to update agency plans concerning cloud technology, and within 180 days, agencies need to implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit. It also forces agencies to “identify their national security systems and report cyber-incidents that occur on them to the National Security Agency.”The memorandum gives the National Security Agency broad powers to issue binding directives that force agencies to “take specific actions against known or suspected cybersecurity threats and vulnerabilities.” The White House noted that this directive was modeled after the Department of Homeland Security’s Binding Operational Directive authority for civilian government networks. The NSA and DHS will work together on certain directives and share information about requirements and threats. 

Additionally, the memorandum forces agencies to be aware of and secure cross-domain tools that allow agencies to transfer data between classified and unclassified systems. “Adversaries can seek to leverage these tools to get access to our classified networks, and the NSM directs decisive action to mitigate this threat. The NSM requires agencies to inventory their cross-domain solutions and directs NSA to establish security standards and testing requirements to better protect these critical systems,” the White House said.The memorandum includes a range of other deadlines and orders for agencies working with sensitive information.It comes on the heels of multiple warnings released by the Cybersecurity and Infrastructure Security Agency (CISA) about potential threats coming from Russia. CISA sent out a warning about potential Russian attacks on critical infrastructure and, this week, warned businesses working with Ukrainian organizations about potential cybersecurity issues. The country is still recovering from the SolarWinds scandal, which saw Russian hackers invade multiple US agencies and spend months inside the country’s most sensitive information systems. Nine government agencies were hacked, including the Department of State, Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce, and the Department of Energy.  More

Deloitte has launched a new threat detection and response platform for enterprise clients. 

On Wednesday, the professional services giant said that the latest solution added to the Deloitte cybersecurity portfolio is called Managed Extended Detect and Response (MXDR), a Software-as-a-Service (SaaS) platform for “flexible, technology-enabled, human-powered security operations.”The MXDR SaaS solution aims to provide an “integrated, unified, composable and modular managed detection and response” suite to clients, including threat detection, response, and remediation capabilities.  Cloud security workloads, zero trust identity management systems, insider threats, attack surface & vulnerability management, as well as log and analytics management are included in the suite. Security operation centers in the US and in FedRAMP-authorized centers worldwide manage the service 24/7, 365 days a year.  According to Deloitte, MXDR was initially operationalized by AWS, CrowdStrike, Exabeam, Google Cloud Chronicle, ServiceNow, Splunk, and Zscaler. More vendors will contribute to MXDR as the product line evolves.  “As threats become more frequent, sophisticated and impactful, leading organizations are considering creative, divergent approaches that meet attackers where they are, while simultaneously fortifying the defenses around their most important assets. But, the cost and complexity of consolidating, building and maintaining such cybersecurity infrastructure in-house can be high,” commented Curt Aubley, MXDR by Deloitte leader. “We designed Managed Extended Detection and Response by Deloitte to offer our clients access to a broad suite of industry-leading capabilities that align with their current and future cyber needs.” Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Interpol and the Nigerian Police Force (NPF) arrested 11 people allegedly involved in a “prolific” cybercrime ring known for running Business Email Compromise (BEC) scams that targeted thousands of companies around the world. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a statement, the law enforcement agencies said the NPF and Interpol’s National Central Bureau in Nigeria coordinated to conduct the raids in Lagos and Asaba between December 13 to December 22. Some of those arrested are allegedly members of a cybercrime network called ‘SilverTerrier.’After the raids, police found one suspect with a laptop containing more than 800,000 potential victim domain credentials, and in total, the group was connected to BEC criminal schemes targeting more than 50,000 organizations. According to Interpol, one suspect was spying on conversations between 16 different companies and their clients, planning to divert funds when transactions were about to be made eventually. Interpol found other evidence implicating another person in a range of BEC crimes across Gambia, Ghana and Nigeria.More than six countries were involved in the effort, according to Interpol. Assistant Inspector General of Police Garba Baba Umar, head of NCB Abuja and Interpol Vice President for Africa, said Interpol’s alerts and technology helped them break up the cybercrime ring. “The outstanding results of Operation Falcon II have served to disrupt this dangerous cyber gang and protect Nigerian citizens from further attack. I encourage fellow African countries to also work with Interpol in ridding our continent of cybercrime to make the cyber world a safer place,” Umar said. Craig Jones, Interpol director of cybercrime, said the investigation into SilverTerrier has helped them build a “very clear picture of how such groups function and corrupt for financial gain.”

“Thanks to Operation Falcon II, we know where and whom to target next,” Jones said. Palo Alto Networks’ Unit 42 and Group-IB’s APAC Cyber Investigations Team assisted Interpol and the NPF in the investigation, providing detailed examinations of the group’s activities. Palo Alto Networks released a blog about the investigation with information about some members of SilverTerrier. They noted that global losses from BEC scams grew to $1.8 billion in 2020, according to FBI statistics. “This recent operation was novel in its approach in that it didn’t target the easily identifiable money mules or flashy Instagram influencers who are typically seen benefiting from these schemes. Instead, it focused predominantly on the technical backbone of BEC operations by targeting the actors who possess the skills and knowledge to build and deploy the malware and domain infrastructure used in these schemes,” Palo Alto Networks explained. The company named six of those involved in SilverTerrier, tying each to a range of different BEC scams and malware used during attacks like LokiBot, PredatorPain, ISRStealer, Pony, NanoCore, AzoRult, ISpySoftware, Agent Tesla and Keybase. Many of those identified had thousands of domains registered to their names or aliases, supporting other BEC actors. A number of those involved had been working on BEC scams since 2014 or 2015. More

Banks and financial institutions in Singapore will have to implement new security measures that have been mandated following a series of phishing SMS scams that wiped several victims of their life savings. These measures include the removal of hyperlinks from email or SMS messages sent to consumers and a 12-hour delay in activating mobile software tokens. The Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) said in a statement Wednesday that the additional measures aimed to strengthen the security of digital banking, in light of the recent scams targeting bank customers.The SMS-phishing scams involving at least 469 customers of OCBC Bank and resulted in losses of more than SG$8.5 million, with S$2.7 million alone lost over the recent three-day Christmas weekend. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000. 

In these cases, scammers manipulated SMS Sender ID details to send messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP). Because OCBC’s legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate. Affected OCBC customers also expressed frustration over how they were put on hold in their efforts to contact the bank’s hotline and have their accounts locked, after they received notifications of payment transfers and requests to increase their transaction limits, which they never made. “MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam,” the regulator said in its statement. “The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.”

Local banks, in consultation with MAS, would work to implement more stringent measures within the next two weeks. These would include setting the default threshold of funds transfer transaction notifications at S$100 or lower and triggering notification to existing mobile number or email registered with the bank, whenever a request is made to change a customer’s mobile number or email address.Banks also would have to set up dedicated and “well-resourced” customer assistance teams to deal with customer feedback on potential fraud cases, MAS said. The regulator added that further safeguards, such as enforcing a cooling-off period before requests for key account changes, including a customer’s contact details, should be implemented. In addition, banks would work closely with MAS, local law enforcements, and Infocomm Media Development Authority (IMDA) to deal with the current “scourge of scams”. This would include working on more permanent measures to combat SMS spoofing, including the adoption of SMS Sender ID registry by all relevant stakeholders, MAS said.”MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams,” it added. MAS’ managing director Ravi Menon said: “The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the Police, IMDA, and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups, and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted.”OCBC on Wednesday said all customers affected by the SMS phishing scam would receive “full goodwill payouts” comprising the amount they lost. This came after its previous statement on Monday that it had begun to make “goodwill payouts” since January 8, but did not specify if these covered the entire amount customers lost. The bank acknowledged its customer service and response “fell short” of customers’ expectations.RELATED COVERAGE More

A new form of ransomware that uses discreet techniques to avoid detection before encrypting files and demanding payment in exchange for the decryption key could be linked to a notorious financial crime group. White Rabbit ransomware emerged in December 2021 with an attack against a US bank and has since been examined by cybersecurity researchers, who say that the ransomware appears to be connected to FIN8, a financially motivated cyber-criminal gang. 

ZDNet Recommends

FIN8 was first identified in 2016 and typically targets point-of-sale (POS) systems with malware attacks designed to steal credit card information. Now it appears that FIN8 could be following the money and shifting towards ransomware campaigns. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseAccording to cybersecurity researchers at Trend Micro, White Rabbit uses tactics that have been seen before, most notably by Egregor, in that it’s payload binary requires a specific command-line password before it goes ahead with the ransomware and encryption routine – a technique that allows the payload to remain undetected until it’s executed. The payload is also hard to detect because the file is small, only 100KB, which appears to show no signs of activity. It contains strings for logging – something that could give away the malicious intent – but these could only be accessed with the correct password. In the sample analysed by Trend Micro, the password was ‘KissMe’ – although the password could be different for each campaign. Like many other ransomware groups, White Rabbit uses double extortion, threatening the victim of the attack with publishing or selling data stolen from the compromised network if a ransom payment isn’t received. They also threaten to leak the data if the victim contacts the FBI about the attack. 

It’s not detailed how the cyber criminals behind White Rabbit initially compromise networks, but researchers note the use of Cobalt Strike, a penetration-testing tool, to gather information and move around affected systems. But something that has been detailed by researchers at cybersecurity company Lodestone is what appears to be a connection between White Rabbit and FIN8. They note that a malicious URL connected to the attack has previously been connected with FIN8 activity. SEE: A winning strategy for cybersecurity (ZDNet special report)In addition to this, Lodestone has identified White Rabbit being used alongside a never-before-seen version of Badhatch, a form of malware designed to create backdoors into compromised networks and that is associated with previous FIN8 campaigns targeting point-of-sale systems. “Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware,” Trend Micro wrote in a blog post. For financially motivated cyber criminals, a shift towards ransomware could be seen as desirable because of the amount of money that can be made from encrypting networks, which can reach millions of dollars. It isn’t without precedent – cybersecurity researchers have previously detailed how FIN11, an established financial crime group that previously focused on phishing and malware campaigns, changed tactics and switched to ransomware attacks. MORE ON CYBERSECURITY More

Microsoft has released several out-of-band updates to address features of Windows 11, Windows 10 and Windows Server broken by the January 2022 Patch Tuesday update. Microsoft released the separate fixes on Tuesday via the Microsoft Update Catalog for direct download, and via Windows Update as an optional update. 

ZDNet Recommends

The Windows Update on January 11 was intended to address 96 security flaws but also brought a load of pain for users and admins. SEE: Windows 11: Here’s how to get Microsoft’s free operating system updateIn release notes for the out-of-band fixes, Microsoft admits the January 2022 security updates broke some VPN connections, caused some Windows Servers domain control controllers to restart unexpectedly, and prevented virtual machines in Microsoft’s Hyper-V from starting. On top of this, users discovered a windows Resilient File System (ReFS) issue blocked access to volumes stored on removable media, including external USB drives.The issues affected the Windows 10 21H2 update (KB5009566), Windows 11 update (KB5009566), and Windows Server 2022 update (KB5009555), as well as the security updates for older versions of Windows and Windows Server. Microsoft has released fixes in the out-of-band updates KB5010795 for Windows 11, KB5010796 for Windows Server 2022, KB5010793 for Windows 10 21H2, 21H1 20H2 and 20H1, as detailed in its Windows release health dashboard. 

Updates are also available for all versions through to Windows 7 Service Pack 1 and Windows Server 2008 Service Pack 2. These are cumulative updates, meaning previous updates don’t need to be installed before installing it. The VPN issue affected Windows 11 through to Windows 10 Enterprise 2015 LTSB and stemmed from IP Security (IPSEC) connections which contain a Vendor ID failing. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected, according to Microsoft. The issue causing Windows Server domain controllers (DCs) to restart affected Windows Server 2022 through to Windows Server 2012. Windows Server 2016 and later was more likely to be affected when DCs are using Shadow Principals in Enhanced Security Admin Environment (ESAE) or environments with Privileged Identity Management (PIM), according to Microsoft. Hyper-V VMs were failing to start on devices with Unified Extensible Firmware Interface (UEFI) enabled on Windows 8.1, and Windows Server 2012 R2 and Windows Server 2012. The ReFS issue caused removable volumes formatted with ReFS to fail to mount or for it to mount as RAW. Its likely cause was that the ReFS file system isn’t supported on removable media, including external USB drives, according to Microsoft. Also, the fix appears to be more complicated than just installing the out-of-band patch.  Microsoft recommends uninstalling the January 11 update and following several steps to recover data from a ReFS partition before installing the out-of-band update. The recovery steps include ensuring data contained on the affected removable media is moved to a ReFS volume on a different fixed device or to a NTFS volume. “After data is recovered from the ReFS partition on the removable media, install the January 17, 2022 Windows out-of-band update that is applicable for your Windows operating system,” Microsoft says. The issues that surfaced after Microsoft’s first Patch Tuesday for 2022 aren’t likely to inspire confidence amongst Windows admins who’ve long been skeptical about the quality of Microsoft’s updates and whether it does sufficient testing before their release. As Ask Woody’s influential IT admin blogger Susan Bradley recently argued in 2020, Microsoft’s decision to roll up patches in a big bundle on the second Tuesday of every month requires admins to place a great deal of trust in the company. That trust is eroded if applying the updates results in a lag on productivity from buggy patches.

Enterprise Software More

Two vulnerabilities recently disclosed to Zoom could have led to remote exploitation in clients and MMR servers, researchers say. 

On Tuesday, Project Zero researcher Natalie Silvanovich published an analysis of the security flaws, the results of an investigation inspired by a zero-click attack against the videoconferencing tool demonstrated at Pwn2Own. “In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user,” the researcher explained. “That said, it’s likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios.” Silvanovich found two different bugs, a buffer overflow issue that impacted both Zoom clients and Zoom Multimedia Routers (MMRs), and the other was an information leak security flaw central to MMR servers.  A lack of Address Space Layout Randomization (ASLR), a security mechanism to protect against memory corruption attacks, was also noted. “ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective,” Silvanovich noted. “There is no good reason for it to be disabled in the vast majority of software.”As MMR servers process call content including audio and video, the researcher says that the bugs are “especially concerning” – and with compromise, any virtual meeting without end-to-end encryption enabled would have been exposed to eavesdropping, 

The researcher did not complete the full attack chain, but suspects that a determined attacker could do so given the time and “sufficient investment.” The vulnerabilities were reported to the vendor and patched on November 24, 2021. Zoom has since enabled ASLR.It was possible to find these bugs as Zoom allows clients to set up their own servers; however, the “closed” nature of Zoom – which does not include open source components (such as WebRTC or PJSIP) that many other comparable tools do – made security vetting more difficult.  For the Project Zero team, this meant forking out close to $1500 in licensing fees, an expense that others, including independent researchers, may not be able to afford.  “These barriers to security research likely mean that Zoom is not investigated as often as it could be, potentially leading to simple bugs going undiscovered,” Silvanovich said. “Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it.” In November, Zoom implemented automatic updates for the software’s desktop clients on Windows and macOS, as well as on mobile. This feature was only previously available to enterprise users. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

QR codes are useful shortcuts to online resources via a phone’s camera, but scammers are now tampering with them to direct victims to phishing pages and cryptocurrency scams. QR or ‘Quick Response’ codes have been connecting scanners to real-world objects since the 1990s, but got widely adopted during the pandemic as businesses moved to contactless communication and payments via QR codes on restaurant menus, parking meters and other public spaces. 

ZDNet Recommends

But scammers are now targeting the QR code’s increased familiarity by tampering with the pixelated barcodes and redirecting victims to sites that steal logins and financial information, according to an FBI alert. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse “Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the FBI notes in its alert.  It doesn’t cite any recent examples of QR scams, but follows the use of QR codes in phishing emails to steal Microsoft 365 credentials in October. The QR codes were useful to attackers because the barcode images bypassed email filters that use URL scanners to block malicious links. The FBI in October said it had recently started to receive reports about malicious QR codes being used, particularly in cryptocurrency scams. “Crypto transactions are often made through QR codes associated with crypto accounts… making these transactions easy marks,” the FBI noted. 

“Do not scan a randomly found QR code,” the FBI warned.   Ars Technica reported about scammers placing fraudulent QR code stickers on parking meters in major Texas cities. These aimed to trick people into paying for parking to a fraudulent website. The social engineering element was that parking meter terminals today frequently have signs with QR codes to direct users to a non-city, third-party parking payment app.  The FBI’s alert addresses this type of scam, too: “A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender’s payment for cybercriminal use.” QR codes can also load malware to steal financial information and then withdraw funds from victim accounts, the FBI warns. There are parallels between email phishing and malicious QR codes stuck on public spaces. How do people know which ones to trust? Employee cyber-awareness training usually tells users not to click on links from unsolicited email, but they still do.      Some of the FBI’s self-defense advice warns against following common practices when using a QR code, but the overall message is to exercise caution when entering information from a website accessed via a QR code. “Law enforcement cannot guarantee the recovery of lost funds after transfer,” it warns. The FBI’s tips for smartphone users include: check the URL after scanning a QR code because the URL may look like the legitimate site; be careful when entering credentials or financial information on a site visited via a QR code; avoid downloading an app from a QR code and instead use an official app store; and call the organization if it sent a bill in email, allowing payment through a QR code in order to verify its authenticity.  Also, don’t download a QR code scanner because most phones have one built in to the camera. (The iPhone got one in 2011 in iOS 11, with Android makers quickly following suit.)  Finally, avoid making payments through a site navigated to from a QR code, the FBI warns. Instead, manually enter a known and trusted URL to complete the payment. More