Information Technology

More organisations across six Asia-Pacific markets have been breached this past year, with an average 60.83% needing more than a week to remediate these cybersecurity attacks. They cite lack of budget and skills as key challenges, and express frustration over an apparent lack of understanding about how tough it is to manage cybersecurity risks.Some 68% of respondents in a Sophos study said they had been successfully breached this past year, up from 32% in 2019. Amongst those that were breached, 55% said they suffered “very serious” or “serious” data loss, revealed the survey, which was conducted by Tech Research Asia and polled 900 businesses — with at least 150 employees — in Singapore, India, Japan, Malaysia, Australia, and the Philippines. In addition, 17% faced more than 50 cyber attacks each week. In Singapore, for instance, almost 15% had to deal with at least 50 attempted security attacks or mistakes per week. Some 28% in the city-state eventually were successfully breached in the past year, with 33% describing the resulting data loss as very serious or serious. 

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

While Singapore had the least number of respondents that were breached, 75% said they needed at least a week to remediate the cyber attack — the highest across the region. Some 68% of their Australian counterparts admitted to also taking more than a week to remediate cyber attacks, as did 65% in India, 64% in Malaysia, 55% in the Philippines, and 38% in Japan. Japanese organisations, in fact, were able to recover the fastest from a breach, with 62% needing under a week to do so. Across the region, respondents pointed to ransomware, malware, and phishing as the top three security threats. They also cited poorly designed or vulnerable supplier systems as a top risk they expected in 2023, fuelled in part by concerns they might be targeted as a result of third-party vulnerabilities and security and other technology vendors being breached. Some 53% acknowledged they also were ill-prepared for the security requirements brought about by the abrupt need to support remote work amidst the COVID-19 pandemic. In spite of this, 54% had yet to update their cybersecurity strategy in the past year, up by 3% from 2019., 

When asked if they had a team that could detect and manage security threats, just 52% replied positively, up from 50% in 2019. For 75% in Singapore, the pandemic was the biggest driver for their organisation to upgrade their security tools and strategy in the past year. The study further revealed that respondents were most frustrated over assumptions within the organisation that cybersecurity was easy to manage and threats exaggerated. They also were expressed exasperation over the lack of budget to deal and the inability to employ adequate security professionals.Some 59% acknowledged their company’s lack of cybersecurity skills was challenging, with 62% struggling to recruit the necessary skillsets. In addition, 59% said their cybersecurity budget was insufficient. Another 67% said they faced difficulties keeping abreast of the cybersecurity landscape Sophos’ global solutions engineer Aaron Bugal said the “disturbing attitude” that cybersecurity incidents were exaggerated needed to be addressed. “It is confounding that this attitude prevails even when the end of 2020 showed us just how bad a global supply-chain attack could be,” Bugal said. “If that wasn’t enough, the more recent zero-day vulnerabilities in widely deployed email platforms demonstrates the desperate need for unification when it comes to cyber resilience. Everybody needs to play a part, and to play a part, we all need to understand the risk.”RELATED COVERAGE More

Image: Getty Images/iStockphoto
Communications Minister Paul Fletcher said on Tuesday that Australian telcos have blocked over 55 million scam calls since the industry got a new scam call code in December. Under the code, telcos need to block not only calls originating in their networks, but also those transiting the network. Carriers are required to look for characteristics of scam calls, share information with other telcos and regulators, block numbers being used for scams including those from overseas, and take measures to combat number spoofing. “In 2020, Australians lost AU$48 million to scam calls,” Fletcher said. “The Morrison government is serious about tackling scams and it is pleasing to see that more than 55 million scam calls have been blocked as a result of the Reducing Scam Calls Code.” When the code was introduced, ACMA said telcos had blocked over 30 million scam calls in the year prior. Last month, Telstra said it was blocking approximately 6.5 million suspected scam calls a month, at times up to 500,000 a day, thanks to automating the former manual process that sat at around 1 million monthly scam calls. The system that Telstra built in-house forms the third leg of its Cleaner Pipes program. In May, the company kicked off with DNS filtering to fight against botnets, trojans, and other types of malware, and extended to blocking phishing text messages purporting to be from myGov or Centrelink before they hit the phones of customers.

“If you think you are receiving a scam call, our simple advice is: Hang up,” Telstra CEO Andy Penn advised customers. Elsewhere in the scam space, the ACCC said Australian businesses had reported losing more than AU$14 million due to payment redirection or business email compromise scams to Scamwatch, with losses in 2021 set to be five times higher. In a business email compromise scam, the attacker will trick the victim into transferring funds into their account, sometimes by impersonating a legitimate customer or supplier, pretending to be the boss demanding an urgent transfer of funds, or just straight up sending fake invoices. “Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors,” ACCC deputy chair Delia Rickard said. “We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams.” Rickard added that people should not rush and double-check that an email is legitimate. “Whenever there is a request to change payment details, always check with the organisation using stored contact details, rather than those in the requesting communication,” the deputy chair said. Related Coverage More

This unprecedented boom in attacks can be in part attributed to the COVID-19 pandemic.  
Getty Images/iStockphoto
More data records have been compromised in 2020 alone than in the past 15 years combined, in what is described as a mounting “data breach crisis” in the latest study from analysis firm Canalys. Over the past 12 months, 31 billion data records have been compromised, found Canalys. This is up 171% from the previous year, and constitutes well over half of the 55 billion data records that have been compromised in total since 2005. Cases of ransomware – a specific type of attack that encrypts servers and data to block access to a computer system until a sum of money is paid – have been on the rise, with the number of reported incidents up 60% compared to 2019. 

“Prioritize cybersecurity and invest in broadening protection, detection and response measures or face disaster,” said Canalys chief analyst Matthew Ball.According to Canalys, this unprecedented boom in attacks can be in part attributed to the COVID-19 pandemic, which forced organizations across the world to digitize at pace, without putting enough thought into the new security requirements that come with doing business online. Retailers had to switch to online selling, while the hospitality sector turned to new platforms for home delivery, and manufacturers digitized supply chains to improve the accuracy of production lines. Meanwhile, organizations across the globe switched entire workforces to WFH almost overnight: the number of employees working remotely, in fact, has jumped from 31 million before the pandemic, to just under 500 million. To keep businesses afloat, money was invested in digital technologies and the cloud, to move processes online and adapt to new ways of working. Cybersecurity concerns, however, were all-too-often put on hold, noted Canalys.  

“Organizations had to implement business continuity measures quickly in response to the COVID-19 pandemic or risk going out of business,” reads the report. “These measures were often at the expense of cybersecurity and bypassed longstanding corporate policies, leaving many exposed to exploitation by highly organized and sophisticated threat actors, as well as other more opportunistic hackers. “For many, cybersecurity was an afterthought, as they had to focus primarily on staying in business.” More data records have been compromised in 2020 alone than in the past 15 years combined.  
Image: Canalys
The fast-paced digitization of business, in effect, has opened up many new attack vectors for threat actors to exploit. With employees now accessing company information from many different locations, and more data being stored and processed outside of traditional, office-based IT environments, new security measures are needed.  Yet businesses do not seem to have taken this seriously enough. While investment in cybersecurity did grow by up to 10% compared to the previous year, other priorities took precedence: for example, cloud services grew 33%, while cloud software services grew 20% during the same period. Investment in cybersecurity also compares poorly to the growth of collaboration tools, remote desktops, notebook PCs and even home printing. In other words, the pace of digital transformation was not matched by sufficient safeguarding of networks against cyber threats. A similar observation was recently made by the head of the UK’s national cyber security centre (NCSC) Lindy Cameron, who reiterated that cybersecurity should be viewed with the same importance to CEOs as finance, legal, or any other important department of the company. The fragile digital infrastructure that often underpins healthcare networks is a prime target for attackers.  
Image: Canalys
But although the global health crisis largely contributed to the rise of such attacks, Canalys notes that the trend is not limited to the pandemic. COVID-19 only accelerated a worrying pattern that was already emerging in previous years: in 2019, for instance, the number of compromised data records had already increased by 200% compared to the previous year. Datasets are getting larger, and organizations are collecting increasingly sensitive information about their customers, either as part of their digital transformation process or to personalize products and services. At the same time, threat actors are becoming ever-more successful, for example using automated bots to drive sophisticated attacks. Canalys, as a result, called for business executives to change their mindset from “if” a breach will affect their company to “when”. “Prioritize cybersecurity and invest in broadening protection, detection and response measures or face disaster,” concludes the report. “This is the stark reality for organization in 2021. For many, it is too late.”  More

The official PHP Git server has been compromised in a potential attempt to plant malware in the code base of the PHP project. 

On Sunday, PHP programming language developer and maintainer Nikita Popov said that two malicious commits were added to the php-src repository in both his name and that of PHP creator Rasmus Lerdorf. The malicious commits, which appeared to be signed off under the names of Popov and Lerdorf (1,2), were masked as simple typographical errors that needed to be resolved.  However, instead of escaping detection by appearing so benign, contributors that took a closer look at the “Fix typo” commits noted malicious code that triggered arbitrary code within the useragent HTTP header if a string began with content related to Zerodium. As noted by Bleeping Computer, the code appears to be designed to implant a backdoor and create a scenario in which remote code execution (RCE) may be possible.  Popov said the development team is not sure exactly how the attack took place, but clues indicate that the official git.php.net server was likely compromised, rather than individual Git accounts.  A comment, “REMOVETHIS: sold to zerodium, mid 2017,” was included in the script. There is no indication, however, that the exploit seller has any involvement in the cyberattack. 

Zerodium’s chief executive Chaouki Bekrar labeled the culprit as a “troll,” commenting that “likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.” The commits were detected and reverted before they made it downstream or impacted users. An investigation into the security incident is now underway and the team is scouring the repository for any other signs of malicious activity. In the meantime, however, the development team has decided now is the right time to move permanently to GitHub.  “We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” Popov said. “Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.” Developers with previous write access to the project’s repositories will now need to join the PHP group on GitHub. The security incident can be described as a supply-chain attack, in which threat actors will target an open source project, library, or another component that is relied upon by a large user base. By compromising one core target, it may then be possible for malicious code to trickle down to a wide-reaching number of systems.  A recent example is the SolarWinds fiasco, in which the vendor was breached and a malicious update for its Orion software was planted. Once this malware was deployed, tens of thousands of organizations were compromised including Microsoft, FireEye, and Mimecast.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Department of Justice (DoJ) has charged 474 individuals for participating in COVID-19 scams and fraudulent activity. 

To some cybercriminals, the coronavirus pandemic is nothing more than an opportunity for profit. We’ve seen everything from fake COVID ‘treatments’ and protective equipment suppliers touting their goods online to phishing email and text vaccine appointment campaigns, and now, dubious vendors are going so far as to try and sell counterfeit vaccines and proof documents in the underground. Law enforcement worldwide has tried to clamp down on such activities and organizations including the World Health Organization (WHO) are constantly releasing advice on the latest scams. In an update published last week, the DoJ said that 474 defendants to date have been publicly charged “with criminal offenses based on fraud schemes connected to the COVID-19 pandemic.” The US agency says that these alleged criminals are responsible for trying to fraudulently obtain at least $569 million from consumers and the US government itself across 56 federal districts.  Investigations conducted by law enforcement have revealed a variety of scams including operations targeting the US Paycheck Protection Program (PPP), Economic Injury Disaster Loan (EIDL) program, and Unemployment Insurance (UI) scheme, all designed to assist businesses and citizens during the pandemic.  In total, 120 individuals have been charged with PPE fraud, including:Business owners inflating payroll expenses to secure large loansShell company creators with no actual payroll applying for financial helpOrganized criminal gangs submitting carbon-copy applications for loans under the names of different companies

One of the department’s latest COVID-19-related convictions centered around Dinesh Sah, a resident of Coppell, Texas. The 55-year-old pleaded guilty last week for conducting fraud to obtain $24.8 million in PPP loans and laundering the payments.  When it comes to EIDL, designed to provide SMB loans, criminals have also applied for assistance on behalf of non-existent, new, and shell companies.  UI fraud is rife, too, with at least 140 individuals suspected of committing these activities. The DoJ says suspects include “identity thieves to prison inmates” who have conducted identity theft to apply for unemployment benefits. In one case, a defendant from Virginia pleaded guilty to obtaining close to half a million dollars on behalf of individuals ineligible for UI, including those currently incarcerated.  “We will not allow American citizens or the critical benefits programs that have been created to assist them to be preyed upon by those seeking to take advantage of this national emergency,” said Acting Assistant Attorney General Brian Boynton of the DoJ’s Civil Division. “We are proud to work with our law enforcement partners to hold wrongdoers accountable and to safeguard taxpayer funds.”  In other coronavirus news, Facebook has frozen a page belonging to Venezuelan President Nicolás Maduro for repeatedly breaking the social media giant’s rules on COVID-19 misinformation, including the promotion of fake herbal cures for the disease. As a result, the Venezuelan official will be unable to post for 30 days. False coronavirus claims were previously deleted and hidden by Facebook and Twitter after being published by former US President Donald Trump. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new, “sophisticated” Android spyware app disguising itself as a software update has been discovered by researchers. 
Zimperium
According to Zimperium zLabs, the malware masquerades as a System Update application while quietly exfiltrating user and handset data. It should be noted that the sample app detected by the team was found on a third-party repository and not the official Google Play Store. Once installed, the victim’s device is registered with a Firebase command-and-control (C2) server used to issue commands while a separate, dedicated C2 is used to manage data theft.  The team says that data exfiltration is triggered once a condition has been met, including the addition of a new mobile contact, a new app is installed, or on receipt of an SMS message.  The malware is a Remote Access Trojan (RAT) and able to steal GPS data and SMS messages, contact lists, call logs, harvest images and video files, covertly record microphone-based audio, hijack a mobile device’s camera to take photos, review browser bookmarks and histories, eavesdrop on phone calls, and steal operational information on a handset including storage statistics and lists of installed applications.  Instant messenger content is also at risk as the RAT abuses Accessibility Services to access these apps, including WhatsApp. 

If the victim device has been rooted, database records can also be taken. The app can also search specifically for file types such as .pdf, .doc, .docx, .xls, and .xlsx. 

The RAT will also attempt to steal files from external storage. However, considering some content — such as videos — can be too large to steal without impacting connectivity, thumbnails alone are exfiltrated. “When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” the researchers note.  Limiting the use of mobile connectivity is a way to prevent users from suspecting their device has been compromised. In addition, as soon as information has been packaged up and sent to the C2, archive files are deleted in an effort to stay undetected.  To make sure only relevant and recent data is taken, the RAT’s operators have imposed time limits on content — such as the newest GPS records, which are stolen time and time again if stolen data records contain values that are over five minutes in the past. Photos, too, are set to 40 minutes timers.  Zimperium describes the malware as part of a “sophisticated spyware campaign with complex capabilities.” Earlier this month, Google pulled a number of Android apps from the Play Store that contained a dropper for banking Trojans. The utility applications, including a virtual private network (VPN) service, recorder, and barcode scanner, were used to install mRAT and AlienBot. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The KrebsOnSecurity name has been invoked in a string of cyberattacks linked to critical Microsoft Exchange Server vulnerabilities. 

Exchange attacks

Security expert Brian Krebs from KrebsOnSecurity is no stranger to figures in the criminal space who appear to delight in everything from turning him into a meme, launching denial-of-service (DoS) attacks against his website, and SWATing — hoax calls made to law enforcement that not only waste police time but can also be dangerous. Now, a domain similar to the legitimate KrebsOnSecurity security resource has been connected to threat actors exploiting a set of critical bugs in Microsoft Exchange Server. According to a new report released by the Shadowserver Foundation, 21,248 Microsoft Exchange servers have recently been compromised that are communicating with brian[.]krebsonsecurity[.]top. Krebs says that the compromised systems appear to have been hijacked and Babydraco backdoors are facilitating communication to the malicious domain. Web shells, used for remote access and control, are being deployed to a previously-undetected address in each case, /owa/auth/babydraco.aspx.  In addition, a malicious file named “krebsonsecurity.exe” is fetched via PowerShell to facilitate data transfers between the victim server and domain.  “The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity — and with harassing this author,” Krebs commented. 

Microsoft released emergency patches to tackle four zero-day vulnerabilities in Exchange Server 2013, 2016, and 2019 on March 2. The security flaws can be exploited to launch remote code execution attacks and server hijacking.  A selection of mitigation tools have also been released for IT administrators who cannot immediately patch their deployments, and at last count, the Redmond giant says that roughly 92% of internet-facing Exchange servers have been either patched or mitigated.  However, just because a fix has been applied does not mean that a server has not already been targeted by threat actors and so security checks and audits also have to be conducted.  Last week, Microsoft warned of subsequent attacks following widespread Exchange server hijacking, including reconnaissance, cryptocurrency mining operations, and ransomware deployment.  “Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions,” the company said.  The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert warning organizations of webshell deployment post-exploit in Exchange servers.  Microsoft has provided Indicators of Compromise (IoC) which can be found here.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Optus
Optus has announced its WiFi Secure product, which makes use of active monitoring by McAfee software sitting on home routers in an attempt to block the spread of malware and other malicious threats. The telco said as the number of internet-connected devices in the home continues to rise, there has been a growing need to “automatically protect” those potential threat vectors. “It’s built into the Optus compatible modems and, helps to make sure all internet traffic passing through the modem, to any device on that network, is safe — even those without a display screen,” Optus said. Optus customers on a family plan will get the blocking at no additional cost, otherwise WiFi Secure will cost AU$5 a month. The software on the router is connected to the McAfee Global Threat Intelligence Cloud Network, and is claimed to not receive any personally identifiable information. ZDNet has asked if the router fails gracefully if the McAfee cloud is not reachable. “Based on activity from millions of sensors worldwide and a dedicated research team, this always-on, cloud-based threat intelligence service collects and publishes online threats that are uploaded to your network every minute to provide you and your family the latest protection,” the telco said. Taking another route, Australian incumbent telco Telstra has been using upstream DNS filtering, phishing text, and scam call blocks to fight malicious threats.

Dubbed Cleaner Pipes, the DNS side of the initiative focuses on blocking command and control communications of botnets, the downloading of remote access trojans, as well as other forms of malware. Related Coverage More