Information Technology

Researchers have analyzed an active campaign targeting US taxpayers in order to spread both NetWire and Remcos Trojans. 

The tax season is now upon us and as US residents file their returns ahead of a deadline in April, this is also a prime time for cybercriminals to launch campaigns tailored to take advantage of the annual requirement. Phishing campaigns, unless they are nothing more than mass spray-and-pray attempts, will usually hook on a particular theme or situation to try and elicit enough of a reaction to fool a victim into clicking a malicious link or downloading a malware-laden attachment.  Examples include a ‘fraud’ alert from a bank, demands for student loan repayments, fake criminal investigations by the IRS, or notices from legitimate companies such as PayPal warning of unauthorized transactions.  When it comes to tax season, personal finance-themed phishing emails often include tax return-related content, and this is the hook that the active campaign’s operators have chosen to use.  According to research published by Cybereason on Thursday, the phishing messages come with documents attached that utilize malicious macros to deploy both NetWire and Remcos Remote Access Trojans (RATs).  Phishing document samples revealed that once opened, the content will blur and victims are asked to enable macros and editing in order to view the text. If they accept, a “heavily obfuscated” macro drops a malicious .DLL payload — a dropper for one of the two Trojans — in the /temp directory. 

The .DLL is then injected into Notepad software and the infection chain continues with the decryption of payload data via an XOR key in order to free up executable code. A connection to a command-and-control (C2) server is established and the OpenVPN client is downloaded, together with a side-loaded trojanized .DLL to maintain remote persistence.  This side-loaded .DLL is responsible for unpacking another .DLL, loaded into memory, and injecting it into Notepad. Another package is then pulled from the legitimate image hosting service imgur, and this package — hidden within an image file in a technique known as steganography — is one of either of the Trojans.  Remcos and NetWire RAT functionality includes taking screenshots, keylogging, stealing browser logs and clipboard data, file harvesting, the theft of OS information, and the ability to download and execute additional malware.  The RATs are both commercially available in underground forums and are offered on a cheap Malware-as-a-Service (MaaS) subscription basis, available for as little as $10 per subscription — which keeps the potential criminal customer base of the Trojan variants large.  “The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect,” commented Assaf Dahan, Cybereason head of threat research. “The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Americans lost over $4.2 billion to cybercriminals and scammers in 2020, according to FBI figures based on complaints it received.  Over the year, the FBI’s Internet Crime Center (IC3) received 791,790 complaints of suspected internet crime, or about 300,000 more than it did in 2019 when the agency recorded estimated losses at more than $3.5 billion. 

More on privacy

“In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree,” the FBI says in its Internet Crime Report 2020.  SEE: Network security policy (TechRepublic Premium) Once again, business email compromise (BEC) or email account compromise (EAC) were by far the biggest sources of reported losses, totaling $1.8 billion across 19,369 complaints. That’s up slightly from $1.77 billion in reported losses from 23,775 BEC complaints in 2019. Last year saw a steep rise in BEC complaints stemming from identity theft and funds being converted into cryptocurrency.  The identity theft frequently occurred after a victim provided a form of ID to a tech support scammer or romance scammers. The stolen ID would be used to set up a bank account to receive stolen BEC funds and convert those to a less traceable cryptocurrency, according to IC3. 

The technique and switch to cryptocurrency differs from previous years when a senior executive’s email address may have been spoofed and used to instruct a subordinate to wire funds to the fraudster’s bank account.  The FBI report notes that tech support fraud continues to be a growing problem, but recently victims have complained about criminals posing as customer support for banks, utility companies or virtual currency exchanges.  While the pandemic caused a brief lull in this type of fraud, losses in this category grew to $146 million, or 171% more than losses from 2019. IC3 received 15,421 complaints from victims in 60 countries.  Ransomware is the other threat that won’t go away. The IC3 received 2,474 complaints and reported losses of $29.1 million. The report, however, notes that this is an underestimate as it doesn’t account for does victim reports made directly to FBI field offices and agents.   “The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered,” the FBI stresses in the report.  SEE: Phishing: These are the most common techniques used to attack your PC The most common type of internet crime type reported to IC3 was phishing (including vishing, smishing, and pharming), with 241,342 complaints. This was more than twice the number of phishing complaints IC3 received in 2019.     Notable rises in reported losses from specific crime types when comparing years (2019 versus 2020) included: confident fraud/romance ($475 million versus $600 million); corporate data breach ($53 million versus $129 million); investment fraud ($222 million versus $336 million); personal data breach ($120 million versus $194 million); ransomware ($8.8 million versus $29 million); and tech support ($54 million versus $146 million).  More

Insecure Internet of Things (IoT) devices are potentially putting society as a whole at risk from cyberattacks because cyber criminals are able to exploit these common products that haven’t been designed with any form of security in mind. IoT products have become a staple in many homes and places of work because they’re perceived as helpful to everyday life.

Internet of Things

However, many IoT devices get installed onto networks without proper security procedures in place, either because the user isn’t aware of how to boost the security of the device – for example, by changing the password – or the device doesn’t come with a password or options for securing it at all.In some cases, IoT devices are leaking data onto the internet because the vendor hasn’t properly configured security – whether by mistake, or because of a requirement to rush it out to the market without adding security by design. Either way, poor security in IoT devices can have major consequences.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)”It’s not even just the damage that it can cause to you from the exposure of your personal data; it’s the damage it can cause to really our whole society,” Craig Young, principal security researcher at Tripwire, told the ZDNet Security Update video series.”When you look back at IoT botnets nets – Mirai, for example – they’ve demonstrated that if you pull together all of these devices, you have some substantial resources”.

Mirai caused major issues in 2016 when IoT devices infected with malware were roped into a botnet targeting online infrastructure provider Dyn with a massive DDoS attack, knocking a number of major services offline.Each individual IoT device only has a small amount of computing power, but an army of millions of devices all directing traffic towards a single target is a powerful tool for online disruption. And with so many IoT devices available and easy to find on the internet, it’s something that cyber criminals are looking to exploit.”What I do worry about is when you’ve got products that are little computers that are pulling down firmware updates from some company that can get hacked and have that firmware replaced with malware. That’s the doomsday scenario,” said Young.”There’s a lot of reason to believe that vendors really don’t take that infrastructure seriously they’re rushing out the door with features and not taking the time to lay the groundwork for security,” he added.SEE: Phishing: These are the most common techniques used to attack your PCAnd while there are initiatives designed at improving Internet of Things security, and information security researchers are attempting to find and disclose problems so they can be repaired, for now it remains an issue as insecure IoT devices are so readily available.”There are so many different companies in the IoT space and there are not enough security researchers going out of their way to work with them and fix these things,” said Young.Users can try to help ensure the IoT devices they install on their network are secure by, when possible, buying products by vendors that are known and trustworthy, rather than a cheap product from a vendor you’ve never heard of before. Users should also ensure that, when possible, the device isn’t secured with a default password. MORE ON CYBERSECURITY More

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Intel and DARPA outlined a three-year partnership to develop and manufacture Application Specific Integrated Circuit (ASIC) processors as nations scramble to make secure semiconductors domestically. DARPA (U.S. Defense Advanced Research Projects Agency) and Intel said they will design custom chips that have security countermeasure technologies. The partnership is called Structured Array Hardware for Automatically Realized Applications (SAHARA).With cybersecurity and nation-state threats becoming common issues, countries are looking to put more manufacturing within their borders and secure the supply chain. Intel is the only advanced semiconductor manufacturer in the US. Under the partnership, Intel will supply its Intel eASIC structured ASIC technology with enhanced security. Defense and commercial electronics developers can then develop and deploy the processors. The chips are based on Intel’s 10nm semiconductor process. As for security, Intel will partner with the University of Florida, Texas A&M and University of Maryland to develop security countermeasure technologies. The aim is to bolster the protect data and intellectual property against reverse engineering and counterfeiting. The universities will test the security of the processors. Last week, Intel and Microsoft said they have signed a deal to better secure data in cloud and virtual environments. More

Mimecast has revealed the theft of its source code in a cyberattack linked to the SolarWinds breach. 

According to Mimecast’s security incident disclosure, published on March 16, a malicious SolarWinds Orion update was used to access the company’s production grid environment. The cloud and email security firm said “a limited number of source code repositories” were downloaded during a cyberattack in January, but added that the company currently has “no evidence” that this code was maliciously modified or that the loss will impact any existing products. “We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast says. “We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service.”Alongside the source code theft, some Mimecast-issued certificates and limited customer server connection datasets were compromised by attackers. Mimecast was made aware of a certificate security issue by Microsoft in January, which told the company a certificate used to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP was being exploited to target a small number of M365 tenants from non-Mimecast IP addresses.  A new certificate connection was issued before Microsoft disabled the hijacked certificate on Mimecast’s request. 

In addition, the unidentified threat actors were able to access email addresses, contact information, and credentials, but the latter was encrypted or hashed/salted.  The SolarWinds supply chain attack, first disclosed in December, has impacted thousands of enterprise and government organizations. Software vendor SolarWinds was breached and an update for its Orion software was infected with malware before being pushed to countless users — immediately creating a widespread supply chain-based chain of compromise.  Mimecast and FireEye’s Mandiant team have been working together on an investigation of the security breach. According to the companies, the initial intrusion was made through Sunburst malware loaded alongside the malicious Orion update. Mimecast recommends that customers in the US and UK reset any server connection credentials used on the Mimecast platform as a “precautionary measure.”  The cloud security firm says that hashed credentials are also being reset, and customers involved in the breach have been notified. Mimecast has also upgraded its encryption algorithm for stored credentials and has pulled SolarWinds Orion from its infrastructure. All impacted servers have been replaced. Microsoft estimates that the attack, suspected of being the handiwork of Russian state-sponsored group Nobelium, may have required the efforts of up to 1,000 engineers to create.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Quantum computing is ready for mainstream deployment, where it already is being tapped to resolve real-world business challenges. Use of the technology to crack cryptography and encryption codes, however, still has some ways to go.In particular, D-Wave Systems CEO Alan Baratz believes it can take at least another decade before factoring will be viable on quantum computing systems and used to undermine current cryptographic tools. And this was likely the case whether the gate-based system, along with its volatile error correction, or D-Wave’s annealing technology was tapped to factor the large code volumes used in cryptography tools, Baratz said in a video call with ZDNet. That said, D-Wave had an internal security team that monitored activities on its systems, he revealed, whilst acknowledging that it was still too soon to determine the types of hacking tools that could or had been created on quantum computers.

The Canadian quantum computing vendor does not specifically focus on cryptography, but its technology has been used to power intrusion and threat detection applications. It also has presence in the US, UK, and Japan, where it has 20 paying customers in the Asian market. Its cloud-based Leap quantum computing application is available in Singapore via Amazon Web Services (AWS). A Deloitte Consulting report echoed Baratz’s views, stating that quantum computers would not be breaking cryptography or run at computational speeds sufficient to do so anytime soon. However, it said quantum systems could pose a real threat in the long term and it was critical that preparations were carried out now to plan for such a future. On its impact on Bitcoin and blockchain, for instance, the consulting firm estimated that 25% of Bitcoins in circulation were vulnerable to a quantum attack, pointing in particular to the cryptocurrency that currently were stored in P2PK (Pay to Public Key) and reused P2PKH (Pay to Public Key Hash) addresses. These potentially were at risk of attacks as their public keys could be directly obtained from the address or were made public when the Bitcoins were used. 

Deloitte suggested a way to plug such gaps was post-quantum cryptography, though, these algorithms could pose other challenges to the usability of blockchains. Adding that this new form of cryptography currently was assessed by experts, it said: “We anticipate that future research into post-quantum cryptography will eventually bring the necessary change to build robust and future-proof blockchain applications.” Mathematician Peter Shor in 1994 published a quantum formula that he said could break most common algorithms of asymmetric cryptography. It suggested that, given a large enough quantum computing system, the algorithm could be used to identify a private key that matched its corresponding public key to impersonate digital signatures. A team of engineers and researchers in Singapore last year also announced plans to tap quantum cryptography technology to enhance network encryption tools, so these could be ready to mitigate security risks when quantum computing became mainstream. Specifically, they were looking to use “measurement-device-independent” quantum key distribution (MDI QKD) technology and hoped to their research could pave the way to a new class of “quantum-resilient encryptors”.Quantum ready for mainstream enterprise applicationWhile the technology has yet to break cryptography, quantum computing is ready for mainstream adoption and already is tapped to address real-world enterprise challenges. Pointing specifically to D-Wave’s proprietary annealing technology, Baratz said this allowed quantum computing to scale more easily and be less sensitive to noise and computational errors, to which gate-based systems were prone. Currently in its fifth generation, D-Wave’s quantum computers clock more than 5,000 qubits and capable of supporting commercial rollout “at commercial scale”, he said. This, he added, was a stage that no other market players had been able to achieve thus far with the gate-based model. Commonly adopted in the industry today, the gate system made quantum computers tough to build and sensitive error. Its most stable state currently generated about 30 qubits, which was sufficient to power mostly research work and unlikely to be used to solve business problems at scale for another seven to 10 years, he said. “Error rates on [gate-based systems] are so high you can’t really do anything with them, even with small problems,” he added, noting that a competitor last year said it was able to solve a specific optimisation problem on its quantum computer. However, this was possible once out of every 100,000 attempts, he said. Quantum computing runs on principles of quantum mechanics that include probabilistic computation.  Baratz said annealing technology, designed specifically for optimisation purposes, had a higher influence on the probability of outcomes and, hence, was less sensitive to errors. It also learnt from where it ended with the previous computation to finetune future ones.”When you lose coherence, you end up with garbage. With annealing, when you lose coherence, you settle into a [potential] solution and restart the computation to try and improve the solution,” he said. Gate-based model, in comparison, could not do that since it would lose coherence after every computation rather than pick off from the previous run. A grocery using D-Wave to enhance a portion of the customer’s logistics system was able to solve an optimisation problem in two minutes per week per location, where previously it took 25 hours per week per location, he noted. There currently are more than 20,000 developers worldwide that have signed up to access Leap, with some 1,000 regularly using the service each month. Paying customers fork out an estimated $2,000 an hour to run computations on D-Wave computers. Baratz noted, though, that its systems could not solve all quantum computing issues because annealing was designed specifically to solve optimisation problems, which were common challenges for businesses. Gate-based systems, on the other hand, would be able to solve any computation problems once the error rates were reduced — something he said likely would not actualise for at least another seven years.So while D-Wave’s annealing-powered quantum computers were limited to solving optimisation problems, they were capable of solving real-world business challenges today, he said. Its systems also were on a path to building a universal error correction system by leveraging the technology it had, he added. To date, more than 250 applications had been built with D-Wave systems, most of which used Leap and spanned various use cases including financial modelling, scheduling, protein folding, and manufacturing optimisation, the vendor said. RELATED COVERAGE More

OCBC Bank has turned on face verification at selected ATMs across Singapore, letting its customers authenticate their identity without the need for an ATM card. Access, though, currently is limited to balance queries, before other transactions are added to the mix at a later stage. Facial biometrics are available at eight ATMs in the city-state, including at the local bank’s main branches in Tampines, in CBD, and at a convenience store. For now, OCBC customers will only be able to use the authentication option to check their account balance, according to a statement released Thursday. The Singapore bank said access would be expanded to include cash withdrawals “progressively”, but gave no timeline on when this would be. After this was added to the list of services accessible via face verification, it said others would be introduced from next year including cash deposits, funds transfers to other banks, cashcard top-ups, and credit card bill payments. OCBC noted that balance queries and cash withdrawals were the two most used services at its ATMs, accounting for almost 8 in 10 transactions carried out at these machines in Singapore. 

The feature is powered by the government’s SingPass Face Verification system, where an individual’s scanned face is verified against the national biometric database comprising images and identifies of more than 4 million local residents. The technology is embedded with security features that the Singapore government says safeguard against fraud, such as liveness detection capabilities to detect and block the use of photographs, videos, or masks during the verification process.The option to verify a customer’s identity through facial biometrics also bypassed the need for ATM cards, which could be skimmed or stolen, OCBC said. Customers keen to use the feature would be prompted to enter their identification number before positioning their face within a frame on the screen. The eight selected ATMs were armed with pre-installed web-enabled camera that would take a scan of the customer’s face and verify it in real-time against the national database, to which OCBC’s ATM was digital linked. Once verified, the customer would be allowed to proceed with their transaction. 

Noting that consumers here, including the elderly, were avid digital adopters, the bank’s Singapore head of consumer financial services Sunny Quek said: “While cash is still a key mode of payment in Singapore, the digital overlay to get cash is very welcomed by consumers.”He noted that digital adoption within OCBC had grown more than 40% last year, with more customers signed up on the country’s digital e-payment system PayNow, and PayNow transactions doubling, compared to 2019. QR code cash withdrawals at the bank’s ATMs, launched in July 2019, also grew 88% year-on-year in 2020, Quek said, adding that the introduction of face verification provide another of convenience for customers who accessed the bank’s touchpoints.According to OCBC, ATM use remained high amongst its customers even amidst high adoption of digital banking services, at more than 2 million cash withdrawals a month. It noted that more than 200,000 customers made their first digital banking transactions last year. Its mobile banking app also clocks more than 7 million logins each month via face or fingerprint biometric authentication. Since including SingPass as a login option for its customers last July, OCBC said more than 1 million logins on its digital banking platforms were carried out using the e-government system, instead of access codes and PINs.RELATED COVERAGE More

Australia and New Zealand cyber megamix CyberCX is hoping to fill the gap left by global security firms, focusing locally to forge ahead with a more regionally appropriate response to countering cyber threats.In its Annual Threat Assessment report [PDF], CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, has offered a handful of recommendations for businesses operating in Australia and New Zealand, with the first, under the banner “strategic”, encouraging the development of an incident response plan.”The faster an organisation can detect and respond to an incident, the less likely the incident is to have a significant impact on data, customer trust, operations, reputation, and revenue,” it said.Although obvious, the report drums in the importance of educating and training staff on practices such as good cyber hygiene, creating a security culture, as well as creating and maintain a consistent, up-to-date cybersecurity policy suite.See also: Australia’s answer to thwarting ransomware is good cyber hygieneCyberCX, backed by private equity firm BGH Capital, was formed a little over one year ago when it brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.

Since launch, CyberCX has gone on an expansion spree, scooping up a number of local cybersecurity startups simultaneously. In its report, CyberCX encouraged the use of local cybersecurity firms.”Using Australian and New Zealand cybersecurity vendors drives innovation at home and boosts jobs in the local cybersecurity market. Local vendors offer cybersecurity solutions of global calibre and at the same time provide the added benefit of a local perspective,” it wrote.”Analysis tailored specifically to the Australia-New Zealand context is often missing from international vendors, many of which tend to be US-centric.”See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying localThe next item on its checklist is “technical” and includes practices such as securing the attack surface, increasing network visibility, implementing end-point controls, adopting multi-factor authentication, and adopting the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework.”Australian and New Zealand organisations remain attractive targets for a range of cyber threat actors,” MacGibbon added in his foreword. “Over the past year, we have seen prominent organisations and agencies suffer incidents, and cyber crime soar off the back of COVID-19 … the threat actors involved in these incidents have been both financially motivated cyber criminals and state-sponsored groups.”2020 victim listThe report also details cyber incidents that occurred in the region in 2020. Here’s the timeline of some of the biggest incidents from Australia and New Zealand:In January, Australian logistics provider Toll Group was infected by Netwalker ransomware affecting its entire global infrastructure. In March, the Australian branch of car-auction house, Manheim Auctions, similarly falls victim to ransomware.Intrusion activity is targeted against COVID-19 research in Australian, US, UK, Spanish, South Korean, and Japanese laboratories in April, while Toll Group suffers its second ransomware incident, this time caused by the Nefilim malware.In May, Service NSW reported it was the victim of a phishing attack that compromised the information of 186,000 customers through the accessing of 47 staff email accounts. BlueScope Steel also experienced a ransomware incident triggering manual processes, but resulting in no material impact to operations.The same month, a man was prosecuted for carrying out DDoS attacks against two Australian retail and telecommunications entities in 2019.In June, food and beverage company Lion, with operations in Australia and New Zealand, suffered a ransomware incident, shutting down IT systems and causing disruption to suppliers and customers.Also in June, a spam campaign distributed banking trojan RM3, targeting Australia-based financial institutions, and New Zealand whitegoods manufacturer, Fisher & Paykel, was struck by Nefilim ransomware, impacting its manufacturing and distribution operations.A research company in New Zealand experienced a privacy breach in July that compromised of contact details of people who called the police.Australian provider Regis Healthcare in August suffered a Maze ransomware incident resulting in a breach of client data, while the New Zealand Stock Exchange (NSX) suffered sustained DDoS attacks impacting network connectivity and trading for four days.In September, misconfiguration at the University of Tasmania caused personally identifiable information of 20,000 students to be leaked through SharePoint to the entire staff and student body; while ransomware operators exfiltrated 17GB of sensitive data from aged care provider Anglicare Sydney.MetService, the meteorological service of New Zealand, also experienced a DDoS attack in September, resulting in no notable loss of performance after all web traffic was redirected to a secured back-up site.French maritime shipping giant CMA CGM’s offices in China were also hit by Ragnar Locker ransomware causing significant shipping delays in Australia.Australian media-monitoring company Isentia disclosed a ransomware intrusion in October that reportedly cost at least AU$7 million.Facilities service provider Spotless also experienced a ransomware incident during merger and acquisition activity by Downer, while an Australian gas producer, retailer, and distributor disclosed that it recently discovered a data breach that occurred in 2014 on a third-party software system.Law In Order, an Australian supplier of document and digital services to law firms, suffered a Netwalker ransomware incident a month later in November, at the same time, Nexia, a network of solutions-focused accountancy and consultancy firms in Australia and New Zealand, suffered a REvil ransomware incident.Ending the year, New Zealand-based financial services firm Staircase suffered a Netwalker ransomware incident in December, which saw personal information belonging to its clients published on multiple dark web forums after the company failed to pay the ransom within the designated timeframe.A breach of 2.6 million email addresses and hashed passwords from Nitro PDF then exposed 4,000 .nz email addresses. The effects of one of the largest supply chain attacks in history were felt by Aussies and Kiwis, respectively, with SolarWinds customers including entities in the government, technology, healthcare, research, and extractive sectors in North America, Europe, Asia, and the Middle East. Lastly, multiple Australian and New Zealand organisations were compromised through an exploit of Accellion File Transfer Appliance software. Transport for New South Wales (TfNSW) confirmed being affected, as did the Australian Securities and Investments Commission (ASIC) and the Reserve Bank of New Zealand.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaMORE FROM CYBERCX More