Information Technology

The Ursnif Trojan has been traced back to attacks against at least 100 banks in Italy. 

According to Avast, the malware’s operators have a keen interest in Italian targets and attacks against these banking institutions have led to the loss of credentials and financial data.
The cybersecurity firm said on Tuesday that at least 100 banks have been targeted, based on information gathered by the researchers. 
In one case alone, an unnamed payment processor had over 1,700 sets of credentials stolen. 
Avast found usernames, passwords, credit card, banking, and payment information that appears to have been harvested by the malware. 
First discovered in 2007, Ursnif began its journey as a simple banking Trojan. The information stealer’s code was leaked on GitHub and has since evolved and has become more sophisticated, with its code being developed independently and also appearing as part of the Gozi banking malware. 
Ursnif is usually spread via phishing emails — such as invoice requests — and attempts to steal financial data and account credentials. 

Datktrace researchers documented a 2020 campaign in which the malware was used in an attack against a US bank. A phishing email was sent to an employee who unwittingly opened a malicious attachment and accidentally downloaded an executable file pretending to be a .cab extension. 
This file called out to command-and-control (C2) servers registered in Russia only a day prior to the launch of the campaign — and, therefore, the IPs were not blacklisted at the time of infection. A recent obfuscation technique noted in this attack was the use of User Agents imitating Zoom and Webex to try and hide in network traffic.
Darktrace has also tracked the malware in attacks against organizations in the US and Italy. 
Avast has shared its findings with the victim banks the company was able to identify, alongside CERTFin Italy, a financial services data exchange managed by the Bank of Italy and the Italian Banking Association (ABI).
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google is opening up its alternative ad-targeting tool for public tests, taking its next steps towards creating a “privacy-first” online world devoid of third-party cookies and with stronger controls over how personal data should be collected and used. It hopes the tests will offer deeper insights on how well the interest-based targeting tool will work in diverse regions such as Asia.
Fuelled by a goal to deliver more relevant ads to consumers, businesses worldwide had been collecting voluminous user data typically via third-party cookies. This had eroded consumer trust, David Temkin, Google’s director of product management for ads privacy and trust, said in a blog post Wednesday.
Also: Google patches actively exploited Chrome browser zero-day
Citing research from Pew Research Centre, Google said 72% of consumers believed almost everything they did online was tracked by advertisers, tech companies, and other organisations. Another 81% said potential risks they faced due to the data collection outweighed the benefits.
In fact, 40% would stop buying services from a company over privacy concerns and there had been a 50% spike year-on-year in searches for online privacy.
Temkin said: “If digital advertising doesn’t evolve to address the growing concerns people have about their privacy and how their personal identity is being used, we risk the future of the free and open web.”
This pushed the US tech giant to put together a two-year plan to phase out third-party cookies, which included working with industry players, publishers, and marketers on its Privacy Sandbox initiative to come up with tools that could strike a better balance between user privacy and ad revenue.

Excluded from such efforts was any attempts to build alternative identifiers to track users as they browsed the web, he said, stressing that Google had no plans to use these in its products. 
“Instead, our web products will be powered by privacy-preserving APIs that prevent individual tracking while still delivering results for advertisers and publishers,” he added. “People shouldn’t have to accept being tracked across the web in order to get the benefits of relevant advertising and advertisers don’t need to track individual consumers across the web to get the performance benefits of digital advertising.”
In particular, Google believes a technology it built offered a viable alternative to third-party cookies by grouping or “hiding” individuals amongst large crowds of people who shared similar interests.
Called Federated Learning of Cohorts (FLoC), the platform removed the need for individual identifiers whilst still enabling brands to reach people with relevant content and ads by targeting clusters of people with common interests. It would help keep an individual’s web history private.
Google said its tests so far indicated that FLoC yielded a conversion rate of at least 95% for every ad dollar, compared to cookie-based advertising. Results varied according to the clustering algorithm the FLoC used and types of audience targeted. 
Asked whether it would work as well in diverse markets such as Asia, Google told ZDNet that this was what it now hoped to determine by opening up the tool for pilots.
The US tech giant said it would release FLoC for developer trials later this month, before extending the tests to include advertisers on Google Ads next quarter.
In addition, it would introduce its first iteration of new user controls next month with simple “on/off” options in its Chrome 90 release, with plans to expand these controls in future releases.
Commenting on scepticism that these efforts simply were attempts to create a walled garden, Google noted that it, too, would be impacted by the change since several of its own products including Google Ads and Display & Video 360 tapped cookies.
It added that Chrome had a responsibility to protect the privacy of its users as they accessed content via the web browser and, at the same time, believed in an ad-supported ecosystem. It said both could be achieved by working with advertisers, brands, and industry players to roll out alternative technology that did not track individuals.
It acknowledged that some organisations could continue to circumvent efforts to do so, for example, by using fingerprinting and other tracking devices to identify individuals.
It urged brands to build on their first-party data as a way to improve their engagement with consumers. Citing its commissioned research with Boston Consulting Group, Google said brands in Asia that used first-party data to create personalised experiences achieved on average 11% higher incremental annual revenue and 18% more cost savings.
It added that organisations could still deliver personalised engagement through contextual-based ads, tapping anonymised and first-party data and without impacting user privacy. 
Temkin said: “Developing strong relationships with customers has always been critical for brands to build a successful business and this becomes even more vital in a privacy-first world. We will continue to support first-party relationships on our ad platforms for partners, in which they have direct connections with their own customers, and we’ll deepen our support for solutions that build on these direct relationships between consumers and the brands and publishers they engage with.”
He added that third-party cookies and any technology that tracked individuals should be eradicated to maintain an “open and accessible” internet in which user privacy was safeguarded.  
Temkin said: “There is no need to sacrifice relevant advertising and monetisation in order to deliver a private and secure experience.”
Google noted that cookies-based ad delivery would continue to be used on its platforms until next year, after its new tools were fully tested and ready for rollout.
RELATED COVERAGE More

Microsoft has awarded a bug bounty hunter $50,000 for disclosing a vulnerability leading to account hijacking. 

In a blog post on Tuesday, researcher Laxman Muthiyah said the security flaw could “have allowed anyone to take over any Microsoft account without consent [or] permission.” 
However, as noted in a discussion concerning the report, this may only apply to consumer accounts.
Muthiyah previously found an Instagram rate limiting bug that could lead to account takeover and applied the same tests to Microsoft’s account protections. 
In order to reset a password for a Microsoft account, the company requires an email address or phone number to be submitted through a “Forgotten Password” page. A seven-digit security code is then sent as a method of verification and needs to be provided in order to create a new password. 
Utilizing a brute-force attack to obtain the seven-digit code would lead to password resets without the account owner’s permission. However, to stop these attacks in their tracks, rate limits, encryption, and checks are imposed. 
After examining Microsoft’s defenses, Muthiyah was able to “work out” the company’s encryption and “automate the entire process from encrypting the code to sending multiple concurrent requests.”

An experiment involved 1000 code attempts being sent but only 122 were processed — whereas the others resulted in an error and further requests from the test account were blocked. 
By sending simultaneous requests, however, the bug bounty hunter was able to circumvent both encryption and the blocking mechanism — as long as there was no delay in requests, as even a few “milliseconds” was enough for requests to be detected and blacklisted, according to the researcher.
Muthiyah was able to tweak his attack by way of parallel processing, which sends all requests at the same time without any delay, and successfully obtain the correct code. 
However, in real-world scenarios, this attack vector is not a simple one. To bypass one seven-digit code would take heavy computing power, and if combined with the need to also break an accompanying 2FA code — when this feature is enabled on a target Microsoft account — this could require millions of requests in total. 
Muthiyah reported his findings and sent Microsoft a Proof-of-Concept (PoC) video as evidence. The bug bounty hunter said that the tech giant was “quick in acknowledging the issue” and a patch was issued in November 2020. 
The vulnerability was assigned a severity rating of “important” by Microsoft — due to the complexity of triggering exploits through the bug — and was described as an “elevation of privilege (including multi-factor authentication bypass),” according to an email screenshot shared by Muthiyah. 
The bug bounty award of $50,000 was issued on February 9 via the HackerOne bug bounty platform, a partner for distributing rewards. Microsoft offers between $1,500 and $100,000 for valid bug reports. 
“I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue,” Muthiyah commented.
The Microsoft Security Response Center thanked the researcher for his findings. 
In related Microsoft news, the Redmond giant has recently issued emergency patches to address four zero-day vulnerabilities impacting Exchange Server. 
ZDNet has reached out to Microsoft for further comment and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild.

The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.” 
Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release.  
Alongside CVE-2021-21166, Huffman also recently reported another high-severity bug, CVE-2021-21165, another object lifestyle issue in audio problem, and CVE-2021-21163, an insufficient data validation issue in Reader Mode. 
The tech giant has not revealed further details concerning how CVE-2021-21166 is being exploited, or by whom. 
Google’s announcement, published on Tuesday, also marked the release of Chrome 89 to the stable desktop channel for Windows, Mac, and Linux machines, which is currently rolling out. Users should upgrade to Chrome 89.0.4389.72 once available. 
The Chrome 89.0.4389.72 release also contains a swathe of other security fixes and browser improvements. In total, 47 bugs have been patched, including a high-severity heap buffer overflow in TabStrip (CVE-2021-21159), another heap buffer overflow in WebAudio (CVE-2021-21160), and a use-after-free issue in WebRTC (CVE-2021-21162). A total of eight vulnerabilities are considered high-severity.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
On February 4, Google pushed out a fix for CVE-2021-21148, a heap buffer overflow in the Chrome V8 JavaScript engine which is also being actively exploited. This high-severity security flaw was reported by Mattias Buelens on January 24. 
This week, Microsoft released urgent updates for four zero-day vulnerabilities in Exchange Server. Microsoft says the bugs are being exploited in “limited targeted attacks” and is urging users to update as quickly as possible. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released updates to address four previously unknown or ‘zero-day’ vulnerabilities in Exchange Server that were being used in limited targeted attacks, according to Microsoft. 
Microsoft is urging customers to apply the updates as soon as possible due to the critical rating of the flaws. The flaws affected Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Exchange Online is not affected. 
“We strongly encourage all Exchange Server customers to apply these updates immediately,” it said. 

More on privacy

Microsoft attributes the attacks to a group it calls Hafnium, which it says is a state-sponsored threat actor that operates from China.  
SEE: Network security policy (TechRepublic Premium)
The attackers used the bugs in on-premise Exchange servers to access email accounts of users. The four bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. 
Washington DC-based security firm Volexity said in its analysis that the vulnerability CVE-2021-26855 was being used to steal the full contents of several user mailboxes. The bug didn’t require authentication and could be exploited remotely. 

“The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail,” Volexity analysts noted. 
Velocity said the attacks appear to have started as early as January 6, 2021.
Exchange email servers are an attractive target due to the volume of email information they hold about an organization.
Last year, Microsoft warned Exchange server customers to patch a different critical flaw (CVE-2020-0688) that multiple advanced persistent threat actors were quick to exploit. Yet months after Microsoft warned organizations to urgently patch this flaw, tens of thousands of Exchange servers remained unpatched.  
Microsoft is concerned it could see the same scenario play out again with this set of Exchange server vulnerabilities. 
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” said Tom Burt, Microsoft’s corporate vice president of Customer Security & Trust.
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
Hafnium mainly target US entities in infectious disease research, law firms, higher education institutions, defense contractors, policy thinktanks, and NGOs, according to Microsoft. The group also primarily operates from leased virtual private servers (VPS) in the United States, it added. 
Microsoft provided the following summary of each vulnerability for customers to assess: 
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After comprising the affected Exchange servers, the attackers deployed web shells on them, allowing for potential data theft and further compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. Microsoft warned in February that between August 2020 and January 2021, it had seen twice as many web shell attacks than in the same period last year.    More

The US Securities and Exchange Commission (SEC) has charged seven individuals in connection to an alleged pump-and-dump stock scheme. 

On March 2, SEC said that investors in a technology company were defrauded out of $45 million through the scam, in which Kalistratos “Kelly” Kabilafkas secretly controlled Simi Valley, Calif.-based Airborne Wireless Network, a publicly-traded company. 
Kabilafkas quietly purchased “essentially all the outstanding stock” of a shell company, Ample-Tee, which became Airborne Wireless in 2016. 
Shares were then distributed to other parties. In total, “millions” of shares were carved up and brokerages were “deceived” into transferring shares into other participants’ names, dumping them into brokerage accounts, and then selling them on to other investors. 
SEC has named other alleged participants in the scheme. Timoleon “Tim” Kabilafkas is Kelly’s father; Chrysilios Chrysiliou allegedly provided the funds for Kelly to purchase the Ample-Tee shell; Panagiotis Bolovis is Kelly’s brother-in-law, and Moshe Rabin has been connected to the alleged deposit and sale of Airborne Wireless stock. Eric Scheffey, another claimed share recipient, was also named in the complaint. 
The group operated a scheme between August 2015 and roughly May 2018, together with the help of Airborne Wireless executive Jack Daniels, to inflate the share price of Airborne Wireless and promote the stock — all while hiding the firm’s true control structure. 
Daniels is described by SEC as a “nominee” chief executive, while Kabilafkas truly held the power in the company.

According to the complaint (.PDF), millions of dollars were spent on advertisements to push up share prices — before the defendants allegedly dumped their stock on an unwitting market. SEC says they were able to make $23 million in profit. 
SEC alleges that “much” of the profit “was kicked back to benefit the Kabilafkas family.” The proceeds were allegedly used to purchase Californian real estate to generate a rental income, resolve tax liabilities, and to purchase luxury cars.
At the same time, the company also raised $22.8 million in funds from investors, through public and private offerings, based on allegedly “false and misleading statements.” 
“At no time during the scheme did Kabilafkas, Airborne, or Daniels disclose Kabilafkas’s role as a control person or the fact that, while Airborne was raising money from investors, he and his associates were dumping millions of shares into the public market,” US prosecutors claim. 
The complaint has been filed in the US District Court for the Southern District of New York and charges each alleged participant with antitrust violations within federal securities laws. 
SEC is pursuing civil penalties, the disgorgement of any financial gains considered fraudulent — as well as interest — and injunctions. 
One of the defendants, Rabin, has agreed to settle without admitting or denying the agency’s claims. If approved by the court, Rabin faces a $125,000 penalty and a penny stock bar. 
“Kabilafkas orchestrated a wide-ranging scheme to deceive gatekeepers, conceal from investors the true ownership of a public company, and then manipulate the company’s stock,” said Jennifer Leete, Associate Director of the SEC’s Enforcement Division. “The SEC is committed to unraveling frauds to protect investors.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new version of Ryuk ransomware is equipped with an additional worm-like capability to spread itself around infected networks, potentially making it even more dangerous than it was before.
Ryuk is one of the most prolific forms of ransomware, with its cyber-criminal operators thought to have made over $150 million in Bitcoin ransom payments from victim organisations around the world.

More on privacy

Like other forms of ransomware, Ryuk encrypts a network, rendering systems useless and the cyber criminals behind the attack demand a payment in exchange for the decryption key. This demand can stretch into millions of dollars.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Ryuk has become one of the one most successful families of ransomware – and it’s regularly updated in order to maintain its effectiveness.
Now France’s national cybersecurity agency – Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), translated into English as National Agency for the Security of Information Systems – has detailed how the latest version of Ryuk is able to self-replicate itself over a local network.
The ransomware can propagate itself across the network using Wake-on-LAN, a feature that enables Windows computers to be turned on remotely by another machine on the same network. By spreading to every reachable machine on the network, the Ryuk attack can be much more damaging.

This capability was discovered while ANSSI was responding to an unidentified Ryuk ransomware incident earlier this year.
The ANSSI paper warms that Ryuk remains particularly active and that “at least one of its operators attacked hospitals during a pandemic”.
Hospitals appear to have been a particular target for Ryuk ransomware attacks, despite the – or perhaps because of – the ongoing COVID-19 pandemic, with access to networks vital for patient care. And given the ongoing situation, some hospitals are giving in to ransom demands, perceiving that approach to be the simplest way to keep treating patients – although even paying the ransom doesn’t guarantee a smooth restoration off the network.
Ryuk is commonly delivered to victims as the final stage of multi-stage attacks, with networks initially compromised with Trickbot, Emotet or BazarLoader – often by phishing attacks. Those compromised networks are then passed on or leased out to the Ryuk gang in order to infect them with ransomware.
SEE: Phishing: These are the most common techniques used to attack your PC
Often, the initial compromise of networks to install malware takes of advantage of organisations not applying patches against known vulnerabilities.
Therefore, one of the key things an organisation can do to help protect itself against cyberattacks is to ensure the latest security updates are applied across the network as soon as possible after release, particularly when it comes to critical vulnerabilities.
Organisations should also regularly backup the network – and store those backups offline – so that in the event of falling victim to a ransomware attack, the network can be recovered without giving into the demands of cyber criminals.

MORE ON CYBERSECURITY More

The New South Wales government has announced the state-wide rollout of a new app designed to help frontline child protection caseworkers reduce paperwork so they can spend more time supporting vulnerable children.
The ChildStory Mobile is the modified version of the ChildStory desktop system used by the Department of Communities and Justice for child protection and out-of-home care. It enables caseworkers to complete home visit records and upload files, access client information, complete safety assessments, and instantly create digital safety plans that can be signed and instantly shared with families.
“This Australian-first app will provide caseworkers with real-time access to vital information, allowing faster responses and better outcomes for vulnerable kids,” Minister for Families, Communities and Disability Services Gareth Ward said.
In addition, the department has signed a four-year deal with the CSO Group, valued at AU$16 million, for the delivery of new cybersecurity solutions for the cloud, endpoint, and email.
Under the deal, CSO Group will deliver an integrated managed security service designed to deliver insights and protection for the department.
Meanwhile, New South Wales Police has signed New York-based Mark43 to become what it has dubbed its “designated” technology partner that will see it provide and implement the call-taking, dispatch, records, investigations, and forensics components of the new Integrated Policing Operations System (IPOS) for the force.
The partnership between the pair was initially forged last April when the force said it would adopt the company’s cloud-based records management software and its computer-aided dispatch system, through Unisys Australia.

At the end of last year, the force, together with Mark43 and Unisys, said it would be kicking off its mainframe modernisation project that will see the force’s central database, which is used for everyday operations, including logging criminal incidents to intelligence gathering, and pressing charges, be replaced with the new IPOS. The project is expected to take five years to complete and will be carried out in three phases. 
Related Coverage More