Information Technology

A new 02 scam targeting customers in the United Kingdom is offering ridiculous discounts and phone plans in return for your one-time security codes. 

Having been the recipient of a cold call from a delightful scam artist today, I’ll hand it to them: the lure is strong. At a time when the cost of living is rising in the United Kingdom, many of us are worried about the looming energy price cap disaster, and finances are often stretched thin — the prospect of being the lucky customer eligible for a discount of 35% to 40% on your phone plan is an attractive one.  At least, that’s what the very nice man on the end of the phone tried to sell me.  The phone call came from Ballygawley in Northern Ireland. The scammer (let’s call him James, since that appears to be one of the personas used, according to reports based on the number), sounded delighted in informing me that I was able to take advantage of a substantial discount on my plan.  Even before he’d finished his pitch, I received a text message which is legitimate 02 communication — a one-time code that customers can use to access their accounts if they forget their password, for example.  This is how the scam works: The cold caller asks if you want to take advantage of the discount At the same time, the scammer visits the 02 sign in page, types in your phone number, and asks for a one-time code to access your accountIn order to apply the discount, they -only- need the code they have just sent to your handsetIf you hand over the code, they can then access your details

To try and make it appear legitimate, James also told me I would receive a paper document in 24 to 48 hours outlining my amazing discount. I had to move quickly though and could I please give him the code. James wasn’t particularly happy when I called him out on the scam and tried to defend himself by saying that they are “only allowed to ask customers if they want the promotion,” but if I didn’t want it, to have a good day.  I said I hoped he had the day he deserves, and after being called some interesting names laden with profanity, that was the end of the call.  He was incredibly pushy and made repeat requests for the code. For those that receive this form of scam call, especially if they are vulnerable, not tech-savvy, or elderly, the immediate ping of a text message could be taken as a legitimate aspect of a carrier service call.  The number, 028 8501 7468, has been searched numerous times since November. Reports suggest the team has also impersonated Carphone Warehouse and Three, and are offering discounts, new phone contracts, and a 100% discount on phone charges. Worth keeping an eye out for — and as always, you should never hand over these details. If in doubt, cut the call and ring your service provider directly.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon Web Services has fixed two flaws affecting AWS Glue and AWS CloudFormation. The bug in AWS Glue could allow an attacker using the service to create resources and access data of other AWS Glue customers, according to Orca Security. 

Special Report

Managing the Multicloud

It’s easier than ever for enterprises to take a multicloud approach, as AWS, Azure, and Google Cloud Platform all share customers. Here’s a look at the issues, vendors and tools involved in the management of multiple clouds.

Read More

Orca researchers say it was due to an internal misconfiguration within AWS Glue, which AWS today confirmed it has since fixed.SEE: Cloud security: A business guide to essential tools and best practicesGlue, which launched in 2017, is a managed serverless data integration service for connecting large databases, allowing developers to extract, transform and load (ETL) for machine-learning jobs. Orca researchers discovered a Glue feature could be used to gain the credentials to a role within the AWS service’s own account to give an attack access to the internal service’s application programming interface (API). Using this access with the internal misconfiguration, an attacker could escalate privileges within an account and gain full administrative privileges. 

“We confirmed that we would be able to access data owned by other AWS Glue customers,” Orca researcher Yanir Tsarimi said in a write-up.AWS said in a statement that Glue customers don’t need to update systems and emphasized the bug could not have affected AWS customers who don’t use Glue. “Utilizing an AWS Glue feature, researchers obtained credentials specific to the service itself, and an AWS-internal misconfiguration permitted the researchers to use these credentials as the AWS Glue service,” AWS said. “There is no way that this could have been used to affect customers who do not use the AWS Glue service.” Additionally, AWS said it audited Glue logs going back to its launch in 2017 and confirmed that no customer data had been impacted by the flaw since then. “AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher,” AWS said. “No other customer’s accounts were impacted. All actions taken by AWS Glue in a customer’s account are logged in CloudTrail records controlled and viewable by customers.”Orca found a second bug in AWS that allowed an attacker to compromise a server within CloudFormation in a way that lets them run as an AWS infrastructure service. AWS customers can use CloudFormation to provision and manage cloud resources.  The company identified an XML external entity injection (XXE) vulnerability that allowed it to read files and perform web requests on behalf of the server. The flaw could be used by an attacker to gain “privileged access to any resource in AWS”, according to Orca. AWS has also remediated this flaw, according to Orca.   More

One of the largest carding platforms in the Dark Web, UniCC, has announced its “retirement” from the criminal industry. 

UniCC has been active since 2013. The platform specialized in what is known as ‘carding’: credit card fraud and the sale of stolen details which can then be used to make unauthorized transactions, to clone cards, and to potentially facilitate identity theft. The retirement notice was posted in both Russian and English on a number of dark web forums.  “Our team retires,” the post read. “Thanks to everyone who has been part of us for years. To loyal partners, clients, and colleagues who assisted us in many ways, I would separately thank each one but it is not professional. If I or some of our team members failed your expectations – we [are] truly sorry.” The operators then gave the apparent reasons for UniCC’s closure: the age and health of its team.  “Don’t build any conspiracy theories about us leaving. It is weighted decision, we are not young and our health do not allow to work like this any longer.” The UniCC team then warned users that they have 10 days to wrap up their business and clear their accounts before the platform, alongside its affiliate domain — LuxSocks — closes. “We ask you to be smart and not follow any fakes tied to our comeback and other things,” the operators added. 

According to an analysis conducted by Elliptic, since 2013, UniCC has generated approximately $358 million in stolen data purchase revenue through cryptocurrencies including Bitcoin, Ether, Litecoin, and Dash.  “Tens of thousands of new cards were listed for sale on the market each day, and it was known for having many different vendors — with the fierce competition keeping prices relatively low,” Elliptic noted. “As UniCC retires, focus will now be on who emerges as the main successor. The carding market overall recently surpassed more than $1.4 billion in sales with Bitcoin alone. Meanwhile, the operators behind UniCC will be seeking to cash out their formidable profits.” In February last year, one of the largest carding forums, Joker’s Stash, called it quits. The platform facilitated the trade and sale of stolen payment card data, but following the seizure of a number of domains used by Joker’s Stash several months prior — and the apparent hospitalization of the operator due to COVID-19 — the service closed.  It is estimated that Joker’s Stash also generated millions of dollars in illicit profits during its lifetime.  Whether or not the operators have truly ‘retired’ or are just seeking to cash out, this does not mean it is the end of the story — law enforcement could still knock on their door, one day.  Speaking to the BBC, the UK National Crime Agency (NCA)’s Alex Hudson, intelligence manager, said the closure has created “mixed” feelings. While the operators have left the criminal industry and the potential pool of tradeable stolen data has shrunk slightly, it may also feel like unfinished business. “If there is a regret, it’s that we do need to hold them accountable for it and they need to understand that they will still be held accountable,” Hudson commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The renewable energy industry is becoming more important as countries attempt to move away from fossil fuels, but the continued growth of the sector must be managed with cybersecurity in mind, or there’s the danger that vulnerabilities in everything from power plants down to smart meters could leave energy providers and their customers open to risk.The energy industry is already a high-profile target for hackers, including those looking to deploy espionage campaigns, ransomware and even attacks with the intent to sabotage systems to cut off power – and the rapid transition towards renewable energy could lead to additional avenues for cyber criminals to exploit.  

ZDNet Recommends

A new report by defence and security think tank the Royal United Services Institute (RUSI) has outlined some of the top cyber risks during the transition towards renewable energy from fossil fuels.  SEE: A winning strategy for cybersecurity (ZDNet special report) “Renewables offer huge opportunities for the UK to become more self-sufficient in energy production whilst mitigating effects of climate change. This transition has to be taken with cybersecurity in mind, cognisant of future cyber threats to society due to the massive digitalisation of the sector,” said Sneha Dawda, research fellow in cybersecurity at RUSI. One of the main targets for cyber attackers is the supervisory control and data acquisition (SCADA) systems responsible for managing industrial networks.There are two key security issues in SCADA systems – the first is that many of these networks are old, sometimes to the extent they can’t receive security updates, which means that if they’re linked to internet-facing areas of the network, they can potentially be infiltrated by cyber criminals.  

SCADA systems’ security can also be threatened if there’s a remote element to access, via cloud services and VPNs. Newer systems can lean heavily on remote access, but if secure login credentials or patch management isn’t looked after properly, this can provide another avenue for cyberattacks, particularly if automated systems that might not be intently monitored are involved. Some of the most common cybersecurity advice is to patch systems with security updates to protect against attacks. But the reality is that for many energy providers, the network is based on legacy systems – and in many cases, updating or replacing those systems could potentially affect services or involve rebuilding them completely.  According to the RUSI paper, another of the key concerns facing the renewable energy sector is cybersecurity risks in the supply chain.  “If one vendor within the supply chain is compromised, this can have widespread consequences for all connected organisations,” the report warns, citing the likes of the Kaseya and SolarWinds attacks as examples of how cyber attackers can cause massive disruption through the software supply chain. In order to combat this, some of those consulted by researchers suggest that energy providers should take a more careful approach with supply chains, asking questions of suppliers and even helping them improve their security in some cases.But it isn’t just energy providers themselves that could be affected directly by cybersecurity vulnerabilities – products and devices used in homes and businesses are also potentially at risk. One threat that the report warns about is Lithium-ion batteries, which use a battery management system (BMS) to monitor safety and reliability – and can be connected to networks. However, the paper warns that weaknesses in encryption, authorisation and remote access into these connected devices could be exploited by attackers. What’s more, these aren’t the only connected devices that potentially contain cybersecurity risks that need to be examined. The paper suggests that home car chargers are “a unique point of intrusion because they serve a very specific purpose”. Home chargers are becoming more common as hybrid and electric vehicles increase in popularity – but there’s already examples of connected chargers being found to have firmware vulnerabilities that attackers can exploit, either to gain access to networks or to rope the devices into a botnet. “While these vulnerabilities have been patched, they provide good examples of how this technology is lacking in industry standards,” says the paper. The final cybersecurity risk relating to renewable energy examined by the paper is IoT devices in smart homes and buildings.  Energy companies are increasingly encouraging customers to install smart meters and other sensors. However, smart meters and IoT devices can be vulnerable to cyberattacks, providing cyber criminals with a route into networks and the ability to build botnets. It can also be difficult for users to patch IoT devices – if they can be patched at all.  The paper suggests initiatives like the UK government’s ‘Secure by Design’ legislation could help improve the cybersecurity situation – and concludes that further research into risk-mitigation strategies and policy-focused recommendations are required. MORE ON CYBERSECURITY More

A new campaign focused on emptying the cryptocurrency wallets of organizations in the financial and crypto spaces has been revealed by researchers. 

Dubbed SnatchCrypto, Kaspersky researchers said on Thursday that the campaign is the work of BlueNoroff, an advanced persistent threat (APT) group suspected of being connected to the larger Lazarus APT. Lazarus is a North Korean hacking unit tied to cyberattacks against banks and financial services. The APT specializes in SWIFT-based intrusions in countries including Vietnam, Bangladesh, Taiwan. Alongside Cobalt and FIN7, Blueliv recently branded the group as one of the top threats faced by FinTech firms today.  “The group [BlueNoroff] seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure,” the researchers say. According to Kaspersky, BlueNoroff has conducted a series of attacks against both small and medium-sized companies tied to cryptocurrency, virtual assets, the blockchain, smart contracts, decentralized finance (DeFI), and FinTech in general.  BlueNoroff focuses on building — and abusing — trust to infiltrate company networks. Whether this is business communication and chats or wider social engineering techniques, the APT spends a lot of time and effort learning about its victims. As of November 2021, Kaspersky says the group has been “stalking and studying” cryptocurrency startups. BlueNoroff aims to create ‘maps’ of current topics of interest in the target organization and then uses this information as a springboard to launch social engineering attacks that appear to be legitimate and trustworthy. 

“BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time,” the researchers note. “A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion.” For example, an email may be sent that pretends to be a shared document hosted on Google Drive from a ‘colleague’ to an employee of a startup. In a sample obtained by Kaspersky, a notification was sent at the time the trap document was opened.  In another example, an email was pushed as a forward that appears to have been sent by a colleague — potentially increasing trust as the message looked as though it had already been checked.

The APT also impersonates legitimate companies in phishing emails, including Coinsquad, Emurgo, Youbi Capital, and Sinovation Ventures.  CVE-2017-0199, a remote code execution (RCE) flaw, is used to trigger a remote script linked to the malicious documents. The exploit will fetch a payload from a URL embedded in these files, and a remote template is also pulled. When they combine, base64-encoded binary objects and a VBA macro become available, then used to spawn a process for privilege escalation before the main payload is executed on a target system.  “Interestingly, BlueNoroff shows improved opsec at this stage,” Kaspersky says. “The VBA macro does a cleanup by removing the binary objects and the reference to the remote template from the original document and saving it to the same file. This essentially de-weaponizes the document leaving investigators scratching their head during analysis.” Other infection chains observed include the use of zipped Windows shortcut files or malicious Word documents that are used to fetch secondary-stage payloads.  At this point, a PowerShell agent is used to deploy a backdoor. The malware is able to remotely connect to its operator’s command-and-control (C2) server, manipulate processes and the registry, execute commands, and steal data stored by the Chrome browser, Putty, and WinSCP. In addition, a secondary backdoor, keylogger, and screenshot taker may also be launched on the machine.  The final payload is a custom backdoor that has only been seen in attacks conducted by BlueNoroff. This malware will collect system data and configuration related to cryptocurrency software and will attempt to interject between transactions stemming from hardware wallets.  Of particular note is when victims use browser extensions to manage their crypto, The Metamask extension, for example, will be tampered with to monitor transactions and allow the attackers to choose the right moment to strike.  The researchers explained how these attacks take place: “When the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn’t suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details.  The user doesn’t get too worried when the size of the payment he/she inputs is low and the mistake feels insignificant. However, the attackers modify not only the recipient address, but also push the amount of currency to the limit, essentially draining the account in one move.” Victims have been traced to Russia, Poland, the US, Hong Kong, Singapore, China, and other countries.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers from North Korea stole nearly $400 million worth of cryptocurrency in 2021 through at least seven attacks and most of it was Ether or ETH rather than Bitcoin, according to blockchain analysis firm, Cainalysis. 2021 was a record year for North Korea’s military hackers, the most notorious of which is Lazarus, the group behind the destructive wiper attack on Sony Pictures Entertainment in 2014, WannaCry ransomware in 2017, multiple banks via the SWIFT banking system, and numerous cryptocurrency exchanges. 

ZDNet Recommends

Also known as APT 38, the group has focused in on cryptocurrency theft as a prime vehicle for raising revenue for the country and evading US and UN economic sanctions. A UN Panel of experts in 2018 concluded that its cryptocurrency hacks contribute to North Korea’s ballistic missile programs.SEE: Scallops, vaccines and Tesla: The wild world of blockchain and cryptocurrencyThe group employs common tactics used by other nation-state hacking groups and cybercriminals, including social engineering, phishing and software exploits. “From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%,” Chainalysis said in its report. Attacks from North Korean hackers in 2021 mostly targeted investment firms and centralized cryptocurrency exchanges, according to Chainalysis. The groups used social engineering to move funds from targets’ wallets to addresses controlled by North Korean accounts. The funds were then laundered and cashed out.  

Last year, 68% of the funds that North Korean hackers stole were Ether, which replaced Bitcoin as the primary cryptocurrency. Bitcoin, however, still plays a key role in laundering stolen Ether via decentralized exchanges before being mixed into new wallets and then cashed out. Cryptocurrency mixer or ‘tumbler’ software breaks down a user’s funds into small sums and blends it with other transactions in micro-transactions before sending an equivalent value to a new address. The US filed its first money laundering charges against a US Bitcoin mixing service in 2020.   “DPRK is a systematic money launderer, and their use of multiple mixers … is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat,” the report notes.North Korea also has about $170 million in cryptocurrency holdings from 49 attacks that have yet to be laundered through mixers. Of that, $55 million came from attacks carried out in 2016 while $35 million came from attacks in 2020 and 2021. Chainalysis notes that $97 million stolen from cryptocurrency wallets managed by Japanese cryptocurrency exchange Liquid.com in August was moved to addresses controlled by a party working on behalf of DPRK, resulting in $91.35 million being laundered. North Korea’s hacks on cryptocurrency exchanges are well document by the US Cybersecurity and Infrastructure Security Agency (CISA). The US government’s umbrella term for the country’s hacking is HIDDEN COBRA. A February 2021 report from CISA details the work of North Korean hackers in connection with the AppleJesus malware that targeted Windows and Mac systems worldwide by posing as a legitimate cryptocurrency trading platform.  More

A ‘massive’ cyberattack has taken down several government websites in Ukraine, including the Ukrainian Foreign Ministry and the Ministry of Education and Science.A statement by Ukranian police says cyber attackers left “provocative messages” on the main pages of government websites, which have been taken offline – but no personal data has been altered or stolen.

ZDNet Recommends

The country’s cyber-police department is working with the State Special Communications Service and Ukraine’s security service to investigate the attacks. As of Friday morning, some of the websites have been restored, while others remain offline.SEE: A winning strategy for cybersecurity (ZDNet special report) “As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down. Our specialists have already started restoring the work of IT systems, and the cyberpolice has opened an investigation,” Oleg Nikolenlo, spokesperson for Ukraine’s Foreign Ministry, said on Twitter.Websites affected by the attack include those of the Ukrainian cabinet, a number of ministries and the state services website, which stores electronic passports and vaccination certificates.Josep Borrell, high representative of the EU for foreign affairs and security policy, said the European Union is mobilising “all its resources” to aid Ukraine following the cyberattack.

“This deserves the strongest condemnation,” he told reporters, according to Bloomberg, adding: “Of course I cannot point at anyone as I have no evidence, but we can imagine.” Currently, nobody has explicitly claimed responsibility for the attack or made concrete accusations over where it originated. However, it came just hours after the EU renewed economic sanctions on Russia by a further six months.Russia has previously been accused of conducting a number of different cyberattacks against Ukraine, including one that disrupted energy supplies, causing power cuts in December 2015.MORE ON CYBERSECURITY More

Singapore has uncovered a distribution network hawking e-vaporisers and other related components via Telegram. The messaging app was tapped to advertise and supply the contraband items to “a large number of people” in chatgroups. The network was busted followed a 24-hour operation conducted on January 6, which uncovered the illegal activities of a distributor and peddlers, said Singapore’s Health Sciences Authority (HSA) in a statement Friday. The industry regulator said the items had an estimated street value of almost SG$200,000 ($148,596). Adding that two male and one female subjects were assisting in its investigation, HSA said: “They had used Telegram to illegally advertise and supply such prohibited items to a large number of people in these chatgroups. “E-vaporiser smugglers and peddlers are using anonymous messaging applications, such as Wechat and Telegram, in a bid to conduct their illegal activities clandestinely. HSA had been closely monitoring the e-vaporiser distribution networks on platforms such as Telegram, which are used to sell the prohibited items,” it added.Singapore’s Tobacco (Control of Advertisements and Sale) Act prohibits the import, distribution, sale, or offer for sale of imitation tobacco products, which include e-vaporisers, shisha tobacco, and smokeless tobacco. Violators face a fine of up to SG$10,000, or imprisonment of up to six months, or both for the first offence, and a fine of up to SG$20,000, or imprisonment of up to 12 months or both for the second or subsequent offence. The law also prohibits the purchase, use, and possession of such products. Violators face a fine of up to SG$2,000.HSA last October seized a record of more than SG$2 million worth of e-vaporisers and related components. RELATED COVERAGE More