Information Technology

The US Securities and Exchange Commission (SEC) has charged the co-founders of uBiome with fraud reaching an estimated $60 million.

On Thursday, the agency said that the co-founders of the medical testing startup, Jessica Richman and Zachary Apte, are being charged for “falsely portraying uBiome as a successful startup with a proven business model and strong prospects for future growth.”Founded in 2012 and based in San Francisco, uBiome claimed to be the developers of technology able to analyze fecal samples and microbiomes to understand how the bacterial makeup of a participant works — including how they tackle nutrient metabolization — and on a wider scale, the state of human microbiomes. Both gut and vaginal tests were on offer. However, the company went bankrupt in 2019 following an FBI raid of the startup’s offices for suspect billing practices.  According to the SEC’s complaint, filed in federal court in San Francisco, Richman and Apte marketed their startup as having a “strong track record” in the private medical testing space — but the agency says these claims were “false” as revenue generation numbers were based on “duping doctors into ordering unnecessary tests and other improper practices.” In some cases, insurers received bills for close to $3,000 for a test. These “improper” practices would have led to insurers refusing to pay up, if known, and to inflate numbers further, the SEC alleges that prior and backdated claims were also issued to insurers together with “misleading” medical records. 

The SEC alleges that the co-founders directed employees to hide shady business practices from both investors and insurers.  Two fundraising rounds, Series B and C, were launched by uBiome and also raised suspicion as the co-founders reportedly sold shares during the same time periods in order to rake in $12 million in profit.  “Ultimately, Richman and Apte’s efforts to conceal the practices unraveled, which led to uBiome suspending its medical test business and entering bankruptcy,” the complaint reads. “Richman and Apte were each enriched by millions through selling their own uBiome shares during the fraudulent fundraising round.” The US agency has charged Richman and Apte with violating antifraud provisions of federal securities laws and is seeking officer and director bans, disgorgement, and civil penalties.  The US Attorney’s Office for the Northern District of California has also separately filed criminal charges against the pair. A 33-page indictment alleges that between 2015 and 2019, Richman and Apte’s business submitted over $300 million in reimbursement claims, of which uBiome received over $35 million.  The Department of Justice (DoJ) is charging the pair with conspiracy to commit healthcare fraud and health care fraud, conspiracy to commit wire and securities fraud, wire fraud, aiding and abetting, fraud in connection with the purchase and sale of securities, and engaging in financial transactions linked to illegal activity.  In addition, US prosecutors have charged Richman and Apte with aggravated identity theft, a claim based on the suspected fraudulent use of healthcare provider names and personal data to create documents designed to be submitted to insurers.  Maximum statutory penalties for the charges carry between five and 20 years in prison per count.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new malicious app is making the rounds that pretends to be the sought-after Android version of Clubhouse. 

Clubhouse is an invitation-only audio chat app that allows users to listen in on conversations in real-time. Attention around the app exploded after Elon Musk tweeted about the app, but as a free service only currently available on iOS, Android device holders may be feeling somewhat left out. The startup is yet to launch an Android version of Clubhouse, but until then, fraudsters are hoping to fool users into downloading malicious software.  On Friday, ESET disclosed the discovery of an Android app that is being served from a clone of the Clubhouse website. While thankfully not found to have slipped the security net on Google Play — the official repository for Android applications — researcher Lukas Stefanko said the website uses a “Get it on Google Play” button to try and fool visitors into believing the app is legitimate. 
ESET
If downloaded and executed, the malicious .APK deploys BlackRock, a banking Trojan capable of extensive data theft. Discovered in May 2020, the BlackRock Trojan was traced back to Xerxes and LokiBot, the former of which had its source code leaked online a year prior.   “Xerxes’ source code was leaked, no new malware based on, or using portions of, such code was observed,” ThreatFabric said in an advisory last year. “BlackRock seems to be the only Android banking Trojan based on the source code of the Trojan at the moment.”

The Trojan is capable of intercepting and tampering with SMS messages, hiding notifications, redirecting users to their device’s home screen if they attempt to run antivirus software, and can be used to remotely lock screens.  When it comes to information theft, BlackRock is not only able to steal device/OS information and text messages. Instead, ESET says the malware is equipped to steal content from no less than 458 online services. When an unwitting victim opens the app service they want to access, an overlay attack is performed. This overlay will request the victim’s credentials which, once submitted, are then whisked away to the malware’s operator.  Target services include Facebook, Amazon, Netflix, Twitter, Cash App, Lloyds Bank, and a variety of other financial, retail, and cryptocurrency exchange platforms.  “Using SMS-based two-factor authentication (2FA) to help prevent anyone from infiltrating your accounts wouldn’t necessarily help in this case, since the malware can also intercept text messages,” ESET says. “The malicious app also asks the victim to enable accessibility services, effectively allowing the criminals to take control of the device.” While the use of a fake Google button may be a clever way to stop victims from realizing they are downloading a malicious .APK, navigating to the Google Play Store platform directly can mitigate the risk of being caught in this way. In addition, keeping device firmware up-to-date, monitoring the permissions you give to new apps, and using mobile antivirus software can help you stay protected.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

CISA, the US Cybersecurity and Infrastructure Security Agency, has released a new command-line tool to scan on-premises systems for traces of activity by the attackers behind the SolarWinds supply chain hack. 

SolarWinds Updates

CISA calls the forensics tool CHIRP, which stands for the CISA Hunt and Incident Response Program. “CHIRP scans for signs of APT compromise within an on-premises environment,” CISA says in the alert. SEE: Network security policy (TechRepublic Premium)CHIRP was built to look for signs of compromise related to SolarWinds Orion software, the widely used network monitoring software the hackers used to distribute the Sunburst/Solorigate backdoor to around 18,000 SolarWinds customers. Microsoft calls the threat actor Nobelium, while FireEye is tracking the same group as UNC2452. The new investigation tool is related to CISA’s previously released Sparrow, which was for detecting attacker activity on compromised accounts and applications within Azure and Microsoft 365 cloud environments.  CISA recommends that defenders use CHIRP to examine Windows event logs and the Windows Registry, as well as query Windows network artifacts and to apply YARA rules to detect malware, backdoors or implants. 

The tool has several plugins to search through event logs and registry keys. It also has a file with a list of indicators of compromise (IOCs) that the agency associates with activity in its previous AA20-352A (for Orion) and AA21-008A (Microsoft 365/Azure environments) alerts.  Only some of the 18,000 SolarWinds customers affected by the trojanized version of Orion were selected by the the hackers for deploying a second strain of malware, called Teardrop. The attackers then escalated access within a target’s cloud environment to breach Microsoft 365 infrastructure. CISA says CHIRP currently looks for: The presence of malware identified by security researchers as TEARDROP and RAINDROP;Credential dumping certificate pulls;Certain persistence mechanisms identified as associated with this campaign;System, network, and M365 enumeration; andKnown observable indicators of lateral movement.Microsoft recently detailed three additional pieces of malware related to the Sunburst intrusion, including Sibot, a tool designed for persistence on an infected machine to support the download and execution of a payload from a remote C2 server. CHIRP is available on GitHub as a compiled executable or as a Python script.FireEye in January also released a free tool on GitHub called Azure AD Investigator.  More

Microsoft has implemented an automatic mitigation tool within Defender Antivirus to tackle critical vulnerabilities in Exchange Server.

On March 18, the Redmond giant said the software will automatically mitigate CVE-2021-26855, a severe vulnerability that is being actively exploited in the wild.This vulnerability is one of four that can be used in a wider attack chain to compromise on-premise Exchange servers. Microsoft released emergency fixes for the security flaws on March 2 and warned that a state-sponsored threat group called Hafnium was actively exploiting the bugs, and since then, tens of thousands of organizations are suspected to have been attacked. At least 10 other advanced persistent threat (APT) groups have jumped on the opportunity slow or fragmented patching has provided.  The implementation of a recent security intelligence update for Microsoft Defender Antivirus and System Center Endpoint Protection means that mitigations will be applied on vulnerable Exchange servers when the software is deployed, without any further input from users.  According to the firm, Microsoft Defender Antivirus will automatically identify if a server is vulnerable and apply the mitigation fix once per machine. 

If automatic updates aren’t turned on, it is recommended that users manually install the new update and make sure their software is upgraded to at least build 1.333.747.0, or newer. Cloud protection is not required to receive the mitigation fix but the company recommends that this feature is enabled as a matter of best practice.  Earlier this week, Microsoft released a one-click mitigation tool designed to be a way to reduce the risk of exploit on vulnerable servers before full patches can be applied and this update to the firm’s antivirus software has been released under the same principle.  The mitigation tool is still readily available as an alternative way to mitigate risk to vulnerable servers if IT admins do not have Defender Antivirus.  “The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases,” Microsoft says. “This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.” On March 17, Microsoft launched the firm’s quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019 which also contains the security patches required to tackle the critical vulnerabilities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian National Audit Office (ANAO) has published its findings of an investigation into the effectiveness of cybersecurity risk mitigation strategies implemented by seven government entities, declaring none have fully implemented all the mandatory benchmarks.The Attorney-General’s Department (AGD); Australian Trade and Investment Commission (Austrade); Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; IP Australia; and Department of the Prime Minister and Cabinet (PM&C) were all under the microscope.The Australian Signals Directorate (ASD) and Department of Home Affairs (DHA) were also probed by ANAO, but they were not included in this assessment. Instead, they were examined only in their roles as cyber policy and operational entities.Since 2013, non-corporate Commonwealth entities have been required to undertake an annual self-assessment against the Top Four strategies, which are mandated by the AGD’s Protective Security Policy Framework (PSPF). Entities report their overall compliance with mandatory requirements to AGD.The Top Four are: Properly implementing application whitelisting, patching applications, patching operating systems, and restricting administrative privileges.In addition to none of the seven entities implementing all of the mandatory Top Four mitigation strategies, ANAO found that of the three entities that had self-assessed full implementation for one or more of the mitigation strategies in their 2018-19 PSPF assessment, PM&C and AGD had not done so accurately. PM&C assessed itself as having fully implemented all the mandatory Top Four mitigation strategies in its 2018-19 PSPF self-assessment.

PM&C was assessed by ANAO as fully implementing the requirements for application control, for patching applications, and for patching operating systems. However, ANAO assessed that PM&C only partially implemented the requirements for restricting administrative privileges.”While PM&C has a process for validating privileged access on an annual basis, it does not sufficiently ensure that privileged access is restricted to personnel that require it to undertake their duties,” the report declared. “Weaknesses in PM&C’s validation processes increases the risk that a cyber intrusion could result in an adversary acquiring privileged access to its systems and subsequently change and bypass other security measures to compromise the system.”In its 2018-19 PSPF self-assessment, AGD reported that it had fully implemented two of the Top Four: Patching operating systems and restricting administrative privileges.ANAO assessed that AGD has “substantially” implemented the requirements for patching operating systems but further improvements needed to be made to reach full implementation. ANAO was happy with AGD’s assessment that it has fully implemented the requirements for restricting administrative privileges, however.The Future Fund Management Agency escaped ANAO’s wrath for accurately self-assessing the two Top Four mitigation strategies for which it reported full implementation.”Future Fund has not fully implemented all of the Top Four mitigation strategies, but is internally resilient as it has effective controls in place to support its ability to detect and recover from a cybersecurity incident,” ANAO said.The report also showed five of six selected entities that had self-assessed to have not fully implemented any of the Top Four mitigation strategies have established strategies and implemented activities to manage their cyber risks and to progress toward a “Managing” maturity level for PSPF Policy. The five entities have also included the implementation of the remaining four strategies that comprise the Essential Eight in their cybersecurity improvement programs.See also: ASD Essential Eight cybersecurity controls not essential: CanberraAustrade and the Department of Education were additionally asked by ANAO to set a timeframe to improve their respective cybersecurity maturity.AGD and DHA are the key regulatory entities where cybersecurity is concerned. The AGD is responsible for setting government protective security policy guidance, including for information security, through the PSPF. ASD, meanwhile, developed the Top Four mitigation strategies.ANAO said all three “could do more to improve support for the implementation of cybersecurity requirements”.Making five recommendations, ANAO has asked AGD to ensure the maturity levels under the PSPF maturity assessment model are fit-for purpose and effectively align with the maturity levels under ASD’s Essential Eight Maturity Model. In addition, it has sought for AGD to provide additional clarity on the PSPF supporting guidance and implement measures to obtain assurance on the accuracy of entities’ PSPF self-assessments, while asking for ASD to provide assistance to AGD to support its assurance processes.ANAO’s final recommendation was that the Australian government strengthen arrangements to hold entities to account for the implementation of mandatory cybersecurity requirements.Such lack of accountability has been the subject of many parliamentary inquiries, with the Joint Committee of Public Accounts and Audit, as one example, highlighting there is no mechanism that allows the individual performance of Commonwealth entities to be probed.ANAO also said in the period July 2019 to June 2020, there were 436 cybersecurity incidents reported to the Australian Cyber Security Centre by Australian government entities. RELATED COVERAGE More

Australia’s contentious encryption laws were used 11 times between 1 July 2019 and June 30 2020, by three of the nation’s law enforcement bodies.Revealed in the Department of Home Affairs’ latest Telecommunications (Interception And Access) Act 1979 — Annual Report 2019-20, New South Wales Police used the powers seven times, the Australian Federal Police (AFP) three times, and the Australian Criminal Intelligence Commission (ACIC) once.

All 11 instances were Technical Assistance Requests (TAR), which are voluntary requests for the designated communications providers to use their existing capabilities to access user communications. The laws, passed in 2018, also create Technical Assistance Notices and Technical Capability Notices, which are compulsory notices to compel communications providers to use or create a new interception capability, respectively.NSW Police used the notices in six cases of illicit drug offences and one of robbery. Two of the AFP’s three TARS given in the period were not given for specific offences, but rather were given to be used against all serious offences as the need arose. These two TARs were then revoked prior to assistance being utilised, the report said. The Federal Police’s remaining TAR was used for cybercrime offenses.The ACIC, meanwhile, used its one TAR for illicit drug offences.

See also: Intelligence review recommends new electronic surveillance Act for AustraliaDuring the reported period, there were just over 310,000 authorisations for retained data, up from the 296,000 issued last year. NSW Police had the most, with just shy of 120,000 authorisations, followed by Victoria Police with around 89,000, and WA Police with almost 27,000.More than 227,000 of these authorisations involved subscriber data rather than traffic data.Australia’s 20 enforcement agencies made 306,995 authorisations for the disclosure of historical telecommunications data, an increase of 17,358 from the 289,637 authorisations made in the previous year. NSW Police again accounted for the most authorisations with 116,968, followed by Victoria Police with 88,526, WA Police with 26,512, and Queensland Police with 25,221. The report said of these, 306,995 were made to enforce the criminal law.The majority of criminal law offences for which historical telecommunications data was requested were illicit drug offences, with 78,142 requests, followed by 32,827 requests for fraud and related offences, and 24,834 requests for robbery offences.3,028 authorisations were made by agencies for the purpose of locating a missing person, and 1,209 for the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue.3,677 interception warrants were issued to interception agencies, an increase of 116 from 2018-19. 737 were renewals of interception warrants and only 12 of the total requests were refused. “The majority of serious offences that were specified in interception warrants issued were serious drug and trafficking offences (2,096 times specified), followed by loss of life or personal injury offences (616 times specified) and murder (303 times specified),” the report states.NSW Police had all of its 1,613 requests issued; while WA Police had seven of its 364 requests refused. Information obtained under interception warrants was used in 2,685 arrests, 5,219 prosecutions, and 2,652 convictions.1,385 stored communications warrants were issued to criminal law-enforcement agencies, an increase of 132 on the 1,253 issued the year prior.Law enforcement agencies made 542 arrests, conducted 568 proceedings, and obtained 298 convictions involving evidence obtained under stored communications warrants, the report said.32,856 authorisations were made by criminal law-enforcement agencies for the disclosure of prospective telecommunications data, an increase of 5,085 on the 27,7712 authorisations made in 2018-19.One journalist information warrant was issued to the QLD Crime and Corruption Commission, under which one historical data authorisation was made for the enforcement of the criminal law.The report also revealed the cost of compliance since 2015-16 with Australia’s data retention scheme topped AU$238 million, with 2019-20 costs coming it a little over AU$21.2 million. Total costs recovered came in at AU$50.3 million.The AFP and ACIC are gearing up to be issued three new computer warrants for dealing with online crime through the pending passage of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020.The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.Senators have raised concerns with the “scope creep” the warrants could result in, the country’s privacy commissioner has called the powers “too wide-ranging”, while the Human Rights Law Centre and the Law Council of Australia have asked that the federal government redraft the Bill, calling its contents “particularly egregious” and “so broad”.RELATED COVERAGE More

VMware on Thursday announced it plans to acquire Mesh7, a company that secures cloud-native applications and miroservices by monitoring application behavior at the API layer. The terms of the deal were not disclosed.  Once the acquisition is finalized, VMware plans to integrate Mesh7’s contextual API behavior security product with the VMware Tanzu Service Mesh. The integration “will enable VMware to deliver high fidelity understanding of which applications components are talking to which using APIs,” Tom Gillis, VMware SVP and GM of the Networking and Security Business Unit, wrote in a blog post. “Developers and Security teams will each gain a better understanding of when, where and how applications and microservices are communicating via APIs, even across multi-cloud environments, enabling better DevSecOps.”The Mesh7 solution is based on Envoy, an open-source Layer 7 proxy designed for large, modern service-oriented architectures. Envoy is also a foundational component of Tanzu Service Mesh. “Early on, VMware realized Envoy would become the platform for next-generation security services,” Gillis wrote. More

Cyberattackers involved in worldwide hacking campaigns are using the compromised systems of high-profile victims as playgrounds to test out malicious tool detection rates. 

On Thursday, Swiss cybersecurity firm Prodaft said that SilverFish (.PDF), an “extremely skilled” threat group, has been responsible for intrusions at over 4,720 private and government organizations including “Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers.”Attacks are geared toward US and European entities and there is a specific focus on critical infrastructure and targets with a market value of over $100 million.   SilverFish been connected to the recent SolarWinds breach as “one of many” threat groups taking advantage of the situation, in which malicious SolarWinds Orion updates were pushed to customers, leading to the compromise of thousands of corporate networks.  In December, following the disclosure of the SolarWinds breach, Prodaft received an analysis request from a client and created a fingerprint based on public Indicators of Compromise (IoCs) released by FireEye.  After running IPv4 scans, the team found new detections within 12 hours and then began combing the web for command-and-control servers (C2s) used in the operation while refining fingerprint records. Prodaft says that after obtaining entry to the management C2 control panel, the company was able to verify links to existing SolarWinds security incidents and known victims by way of IP, username, command execution, country, and timestamp records.  Victims verified by the company include a US military contractor, a top COVID-19 testing kit manufacturer, aerospace and automotive giants, multiple police networks, European airport systems, and “dozens” of banking institutions in the US and Europe. 

SilverFish is focused on network reconnaissance and data exfiltration and uses a variety of software and scripts for both initial and post-exploitation activities. These include readily-available tools such as Empire, Cobalt Strike, and Mimikatz, as well as tailored rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow particular behavioral patterns while enumerating domains, including running commands to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts.   Scripts are then launched for post-exploit reconnaissance and data theft activities. Hacked, legitimate domains are sometimes used to reroute traffic to the C2. However, perhaps the most interesting tactic observed is the use of existing enterprise victims as a sandbox.  “The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks,” the company says.  The C2 panel also revealed some interesting hints about how SilverFish operates. Panels are set for “Active teams” and appear to account for multiple groups such as Team 301, 302, 303, and 304, with both English and Russian used to write comments on victim records.  Work hours appear to stay within 8 am – 8 pm UTC, with far less activity taking place on weekends. Attacker teams seem to cycle every day or so between victims and whenever a new target is snared, the server is assigned to a particular working group for examination.  A ‘test run’ of the SolarWinds Orion compromise was conducted in 2019, whereas Sunburst malware was deployed to clients between March and June 2020. SilverFish-SolarWinds attacks began at the end of August 2020 and were conducted in three waves that only ended with the seizure and sinkhole of a key domain. However, the team expects other spying and data theft-related attacks to continue throughout 2021.SilverFish infrastructure has also revealed links to multiple IoCs previously attributed to TrickBot, EvilCorp, WastedLocker, and DarkHydrus. Prodaft cautions that “security analysts should not fully-automize their threat intelligence protocols [..] as acting strictly upon IoC intelligence from third-party resources may be one of the main reasons that prevent researchers from realizing the actual scope of large-scale APT attacks.” “SilverFish are still using relevant machines for lateral movement stages of their campaigns,” the company added. “Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group’s presence on their networks.” As a “very sensitive matter,” Prodaft told ZDNet that victims were not contacted directly. However, the firm’s findings have been shared “with all responsible CERTs, and different law enforcement agencies; so that they can get in touch with the victims as the authorized body and share their findings.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More