Information Technology

Recorded Future
A North Korean hacking group with a history of high-profile attacks against South Korea allegedly breached the network of South Korea’s state-run nuclear research institute last month. Representative Ha Tae-keung of the People Power Party, South Korea’s main opposition party, claimed 13 unauthorised IP addresses accessed the internal network of Korea Atomic Energy Research Institute (KAERI) on May 14. Some of the addresses could be traced back to Kimsuky, a North Korean cyber espionage group, Ha claimed. “If the state’s key technologies on nuclear energy have been leaked to North Korea, it could be the country’s biggest security breach, almost the same level as a hacking attack by the North into the defense ministry in 2016,” the lawmaker said. According to the US Cybersecurity and Infrastructure Security Agency, Kimsuky is an advanced persistent threat group likely tasked by the North Korean regime with a global intelligence-gathering mission, with a focus on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Prior to its alleged attack against KAERI, the group was thought to have been installing malware inside documents detailing South Korea’s response to the COVID-19 pandemic in 2020. The group is also thought to be behind a series of phishing attacks in 2019 against the South Korean police and Ministry of Unification. Kimsuky’s most notorious cyber attack was made in 2014 against Korea Hydro & Nuclear Power, South Korea’s nuclear and hydroelectric utility.

In response to Ha’s claims, KAERI issued a statement, saying an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). The institute then blocked its IP and updated the security of its network, it said. It has since been working with authorities to investigate the scope of the damage and who was behind the attack, KAERI added.  KAERI officials were unavailable for further comment. On Sunday, local media reports claimed that Daewoo Shipbuilding & Marine Engineering, a supplier of ships and submarines to the South Korean military, has been suffering cyber attacks since last year from groups thought to be run by North Korea. The Defense Acquisition Program Administration, a subagency of the Ministry of National Defense responsible for procuring weapons, confirmed there were attempted hacking attacks against Daewoo last year but denied they were connected with North Korea. Related Coverage More

Western Australia’s auditor-general has reported 553 IT systems weaknesses to 59 state government entities, saying she was “disappointed” only 50% of them have met the benchmark in information security.In the auditor-general’s latest report [PDF], Information Systems Audit Report 2021 – State Government Entities, it was revealed that 42% of the findings made this year were previously reported to the 59 entities.”One way entities can remain vigilant against the rapidly changing threats to information systems is by promptly addressing audit findings,” state Auditor-General Caroline Spencer said. “Poor information security controls leave entity systems and information vulnerable to misuse and may impact critical services provided to the public.”36 of the 59 entities were provided with capability maturity assessments and were asked to self-assess their general computer controls. While entities improved their controls in four out of six categories — business continuity, IT operations, change control, and physical security — and remained constant in management of IT risks, while going backwards in the infosec category.”We continue to find a large number of weaknesses that could compromise the confidentiality, integrity and availability of information systems. Information security remains our biggest area of concern,” the 13th report from the Office of the Auditor-General (OAG) said.Ratings for general computer control findings in each control category
Image: OAG
The 36 assessments saw the OAG rate entities maturity level across the six categories, using a 0-5 rating system. Level 3, “defined”, is the minimum standard that entities are required to meet. 50% of entities found themselves rated at level 3 or above for infosec; 62% for business continuity; 78% for the management of IT risks; 82% for IT operations; 85% for change control, and physical security was the highest scoring, with 91% of entities hitting level 3 or above.

“The number of entities who met our benchmark for information security decreased from 57% in 2018-19 to 50% in 2019-20. We continue to see little improvement in this space over the last 13 years,” the report said.Common weaknesses found included inadequate information security policies, ineffective management of technical vulnerabilities, inadequate access controls, administrator privileges not managed well, lack of data loss prevention controls, inappropriate network segregation, unauthorised device connectivity, weak database security controls, and poor cloud security controls.Some of the recommendations made include requesting state infosec executive managers ensure patching and vulnerability management, application hardening and control, and strong passphrases/passwords and multi-factor authentication are in place, as well as implement admin account restrictions, segregate networks and prevent unauthorised devices, and secure cloud infrastructure, databases, email, and storage.The OAG also wants cybersecurity monitoring, intrusion detection, and protection from malware to be prioritised. Common weaknesses found under the business continuity header were a lack of business continuity planning, no backup testing procedures, inadequate IT disaster recovery plans, and a lack of disaster recovery plan testing.Management of IT risks issues included inadequate processes to identify, assess, and treat IT risks, as well as a lack of accountability. For change control, common problems included a lack of formalised change management processes within entities, and when they do exist, they weren’t being followed.IT operation common weaknesses, the OAG said, included a failure to review policies and procedures, inadequate staff termination processes, ineffective IT asset management, a lack of supplier performance management, and an overall inadequacy in monitoring events.Lastly, issues with physical security across the entities probed included unrestricted access to server rooms, combustible materials being stored in server rooms, and a lack of fire suppression systems in place.Data#3, a supplier of IT to the state’s whole-of-government GovNext-ICT initiative, has meanwhile taken it upon itself to help WA entities with security, launching Project Fortify.Project Fortify, supported by the Office of Digital Government and the Department of Finance, aims to assist state entities with security operations, Essential 8 compliance, and legacy systems risk assessments. “This is a great opportunity for agencies with limited resources to accelerate their cybersecurity maturity and improve the public sector’s resilience to cyberthreats,” WA chief information security officer at the Office of Digital Government Peter Bouhlas said.Funding for the initiative comes by way of a Digital Innovation Fund, which was created under the WA Government Microsoft Licensing Agreement Data#3 picked up in 2019.MORE FROM THE OAG More

Connecting to a Wi-Fi hotspot with a specific name can cause your iPhone’s Wi-Fi functionality to break, and even a reboot won’t fix it.The bug, spotted by reverse engineer Carl Schou and first reported by Bleeping Computers relies on attempting to connect to a hotspot with a specific name. Schou first noticed the issue when trying to connect to his hotspot named with the SSID %p%s%s%s%s%n.

After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3— Carl Schou (@vm_call) June 18, 2021

I’ve tested this with an iPhone running iOS 14.6, and it does indeed disable Wi-Fi, and a reboot doesn’t fix it.Must read: Apple will finally give iPhone and iPad users an important choice to make
So, how do you fix it if, like me, you’re relying on your iPhone?The fix is to go to Settings > General > Reset > Reset Network Settings.After doing this you will have to reconfigure your network settings.

OK, but how do you prevent this from happening in the first place? After all, little stops pranksters — or possibly a hacker using this as a vulnerability to do something more malicious — from setting up Wi-Fi hotspots with this name and no password.Got to Settings > Wi-Fi and make sure that Auto-Join Hotspots in set to Ask to Join or Never. Better safe than sorry!I can also confirm that this does not seem to be an issue for Android users. I tried a number of handsets and they all connected fine. More

Researchers have provided an in-depth look at how LockBit, one of the newer ransomware groups on the scene, operates.

Ransomware has become one of the most disruptive forms of cyberattack this year. It was back in 2017 with the global WannaCry outbreak that we first saw the severe disruption the malware could cause, and in 2021, nothing seems to have changed for the better. This year alone, so far we’ve seen the Colonial Pipeline ransomware disaster that caused fuel supply shortages across parts of the US; ongoing issues at Ireland’s national health service, and systematic disruption for meat processor giant JBS due to the malware. Ransomware operators will deploy malware able to encrypt and lock systems, and they may also steal confidential data during an attack. Payment is then demanded in return for a decryption key.  Losing money by the second while their systems fail to respond, victim enterprise players may then be subject to a second salvo designed to pile on the pressure — the threat of corporate data being either leaked or sold online through so-called leak sites in the dark web.  Ransomware attacks are projected to cost $265 billion worldwide by 2031, and payouts now commonly reach millions of dollars — such as in the case of JBS. However, there is no guarantee that decryption keys are fit for purpose or that paying once means that an organization will not be hit again.  A Cybereason survey released this week suggested that up to 80% of businesses who fell prey to ransomware and paid up have experienced a second attack — potentially by the same threat actors. 

The threat of ransomware to businesses and critical utilities has become serious enough that the issue was raised during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit.   Each group has a different modus operandi and ransomware operators are constantly ‘retiring’ or joining the fold, often through a Ransomware-as-a-Service (RaaS) affiliate model.  On Friday, the Prodaft Threat Intelligence (PTI) team published a report (.PDF) exploring LockBit and its affiliates.  According to the research, LockBit, believed to have previously operated under the name ABCD, operates a RaaS structure that provides affiliate groups a central control panel to create new LockBit samples, manage their victims, publish blog posts, and also pull up statistics concerning the success — or failure — of their attack attempts.  The investigation revealed that LockBit affiliates most often will buy Remote Desktop Protocol (RDP) access to servers as an initial attack vector, although they may also use typical phishing and credential stuffing techniques.  “Those kinds of tailored access services can be purchased as low as $5, thus mak[ing] this approach very lucrative for affiliates,” Prodaft notes.  Exploits, too, are used to compromise vulnerable systems, including Fortinet VPN vulnerabilities that have not been patched on target machines.  Forensic investigations of machines attacked by LockBit affiliates show that threat groups will often first try to identify “mission-critical” systems including NAS devices, backup servers, and domain controllers. Data exfiltration then begins and packages are usually uploaded to services including MEGA’s cloud storage platform.  A LockBit sample is then deployed manually and files are encrypted with a generated AES key. Backups are deleted and the system wallpaper is changed to a ransom note containing a link to a .onion website address to purchase decryption software.  The website also offers a decryption ‘trial,’ in which one file — with a size smaller than 256KB — can be decrypted for free.  However, this isn’t just to show that decryption is possible. An encrypted file needs to be submitted for affiliates to generate a decryptor for that particular victim.  If victims reach out, attackers can open a chat window in the LockBit panel to talk to them. Conversations will often start with the ransom demand, payment deadline, method — usually in Bitcoin (BTC) — and instructions on how to purchase cryptocurrency.  Prodaft was able to obtain access to the LockBit panel, revealing affiliate usernames, the number of victims, registration dates, and contact details. 
Prodaft
The research team says that clues within the affiliate names and addresses suggest that some may also be signed up with Babuk and REvil, two other RaaS groups — however, the investigation is ongoing. On average, LockBit affiliates request roughly $85,000 from each victim, 10 – 30% of which goes to the RaaS operators, and the ransomware has infected thousands of devices worldwide. Over 20% of victims on the dashboard were in the software and services sector.  “Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group,” Prodaft says. “However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim.” At the time of writing, LockBit’s leak site was unavailable. After infiltrating LockBit’s systems, the researchers decrypted all of the accessible victims on the platform.Earlier this month, Bleeping Computer reported that LockBit was a new entrant to a ransomware cartel overseen by Maze. Prodaft told ZDNet that as they “detected several LockBit affiliates are also working for other ransomware groups, collaboration is very likely.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Improving diversity in the cybersecurity industry by doing more to hire people from different backgrounds can help improve online defences for everyone because it will enable information security teams to think about – and defend against – concepts and attack techniques they may not have considered before.Figures from an NCSC report on diversity detail how over 85% of professionals working in cybersecurity are white, compared to under 15% from black, Asian or mixed ethic groups. Two-thirds of the industry identifies as male, compared to 31% identifying as female, while over 84% of those surveyed identify as straight, compared with 10% who identified as LGBT. But diversity is – gradually – increasing.

ZDNet Recommends

“I feel like from a diversity and inclusion standpoint in the cybersecurity industry we’ve honestly come a long way,” Christine Izuakor, founder and CEO of Cyber Pop-up told ZDNet Security Update.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  “There’s definitely some work to do, but I’m so happy to see so many initiatives around building diversity in the industry, bringing more women into the industry, more people of colour people from all these different backgrounds. I think that’s huge”.Not only does diversifying the cybersecurity industry help it better reflect the population, it can bring different ways of thinking and different skills to the table – and it could also help cybersecurity teams gain a better idea of how the malicious hacking operations they’re trying to defend networks again work.

“The people who are carrying out these attacks, don’t look one kind of way or come from one different background. They come from so many different backgrounds across so many different parts of the world,” Izuakor explained.”You can’t defend against that, by having one train of thought, you need those different perspectives, you need the people who are defending against these attacks to look just like the people who are attacking and that looks like a variety of different people,” she added.Improving diversity in cybersecurity teams should, therefore, be a key aim for organisations across the industry, because it can help protect people and businesses from a wider range of cyber threats.”I truly believe that we cannot adequately defend against attacks or develop the solutions and the methods and things that we need if we keep a one-track mind – we have to have diversity in the space, otherwise we will fail,” Izuakor said. SEE: This new ransomware group claims to have breached over 30 organisations so farIt’s also important to recognise that people can take different routes into cybersecurity – some might get qualifications from university or information security certifications, others might learn skills via online courses, some might even teach themselves entirely. “It’s important to acknowledge that people have different learning modes and different paths, and that is OK, as long as the job is getting done right and as long as we’re defending against these attacks and being more secure,” said Izuakor.MORE ON CYBERSECURITY More

The recently announced proposal to make the Rust programming language one of two main languages for the Linux kernel is getting a major boost thanks to Google and the Internet Security Research Group (ISRG), the group behind the Let’s Encrypt certificate authority. The main goal of the push to bring Rust to Linux is to wipe out an entire class of memory-related security bugs in the kernel, which is a key part of the internet’s infrastructure, running on everything from servers to edge devices and smartphones. 

Historically, key Linux drivers that make up the kernel have been written in C, which is not memory-safe whereas Rust is; as Microsoft has highlighted, 70% of all bugs it fixes are memory-related. SEE: Hiring Kit: Python developer (TechRepublic Premium)Linux kernel developers are exploring whether to write new parts of the kernel in Rust rather than rewriting the entire Linux kernel, which contains over 30 million lines of code. Google aired its plans to back the project to bring Rust to Linux in April – an initiative that’s been led by developer, Miguel Ojeda, who has posted a request for comment (RFC) about the proposal. Until now, Ojeda had been working on contract with ISRG’s Prossimo project for memory safety and that early effort was funded by Google, but now the group has hired him to work full-time on the project. 

“Google has found time after time that large efforts to eliminate entire classes of security issues are the best investments at scale,” said Dan Lorenc, a software engineer at Google, who’s helped coordinate the Rust-Linux project and works on the infrastructure behind Google Cloud Platform. “We understand work in something as widely used and critical as the Linux kernel takes time, but we’re thrilled to be able to help the ISRG support Miguel Ojeda’s work dedicated to improving the memory safety of the kernel for everyone.” As suggested by Lorenc, introducing a second language into the Linux kernel isn’t a light decision. Linux creator Linus Torvalds had a few objections to bringing in Rust after Ojeda’s RFC. But with Google’s backing, there might be room to move. “Adding a second language to the Linux kernel is a decision that needs to be carefully weighed,” said Ojeda in a statement. “Rust brings enough improvements over C to merit such consideration.SEE: Learn the principles of Python and Django for only $29.99The Linux kernel is at the heart of the modern internet, from servers to client devices, said ISRG’s executive director, Josh Aas, pointing out it’s on the front line for processing network data and other forms of input. As such, vulnerabilities in the Linux kernel can have a wide-ranging impact, putting security and privacy for people, organizations, and devices at risk. “Since it’s written largely in the C language, which is not memory-safe, memory safety vulnerabilities such as buffer overflows and use-after-frees are a constant concern. By making it possible to write parts of the Linux kernel in Rust, which is memory-safe, we can entirely eliminate memory safety vulnerabilities from certain components, such as drivers.”Google is also backing the ISRG project to create a Rust-based module for the Apache HTTP web server.  It’s another important piece of internet infrastructure since it’s responsible for cryptographically securing HTTPS connections to widely used Apache web servers.  More

Over half of organisations would pay the ransom if they fell victim to a ransomware attack – despite repeated warnings that they shouldn’t encourage cyber criminal extortion.Research by the Neustar International Security Council (NISC) found that six in ten organisations would pay cyber criminals for the decryption key in the event of a ransomware attack, according to its survey of 300 workers in ‘senior positions’.That’s despite the likes of The White House, the UK Home Office, law enforcement and cybersecurity experts warning that paying the ransom should be avoided because it signals to ransomware operations that their extortion schemes work.High profile victims of ransomware attacks who have paid ransoms recently include Colonial Pipeline, which paid over $4 million in Bitcoin to cyber criminals using DarkSide ransomware, while meat processor JBS paid $11 million in Bitcoin to criminals who compromised its network with REvil ransomware.These incidents have seemingly forced business to take notice, with 80 percent of cybersecurity professionals surveyed for the research stating that more emphasis is being placed on protecting against the threat of ransomware. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  However, a quarter of respondents fear that their current security procedures might not offer full protection against ransomware threats, describing them as ‘somewhat’ or ‘very’ insufficient.

When it comes to ransomware, the best thing an organisation can do is prevent it becoming a problem in the first place. Cybersecurity procedures like applying multi-factor authentication across the network, applying security patches to protect against known vulnerabilities in a timely manner and regularly updating back-ups and storing them offline can help organisations prevent being disrupted by a ransomware attack.By applying these sorts of protections, it makes it much less likely that organisations will feel the need to give into the extortion demands of cyber criminals. “Companies must unite in not paying ransoms. Attackers will continue to increase their demands for ever larger ransom amounts especially if they see that companies are willing to pay. This spiral upwards must be stopped,” said Rodney Joffe, NISC chairman and fellow at Neustar.MORE ON CYBERSECURITY More

A strain of malware with odd intentions when it comes to piracy and the moral compass of its victims has been detected in the wild.

On Thursday, Sophos researchers said they had uncovered a malware campaign that doesn’t follow typical behavioral patterns: infiltrate a system, steal information, conduct banking fraud, and so on — instead, the malware “blocks infected users’ from being able to visit a large number of websites dedicated to software piracy.” The means of distribution varies: some samples were buried in archives disguised as software packages promoted through the Discord chat service, whereas others are distributed directly via torrent. The creator has used the names of numerous software brands, games, productivity tools, and cybersecurity solutions to hide the malware, according to principal researcher Andrew Brandt, and so appears to be targeting everyone from gamers to professionals who might not want to purchase a software license. The malicious packages are named in common formats used when distributing pirated software, such as “Minecraft 1.5.2 Cracked [Full Installer][Online][Server List].” Files are tagged to appear as uploads from The Pirate Bay.  “The files that appear to be hosted on Discord’s file-sharing tend to be lone executable files,” Brandt says. “The ones distributed through Bittorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol: added to a compressed file that also contains a text file and other ancillary files, as well as an old fashioned Internet Shortcut file.” If the malware’s executable is double-clicked, a message pop-up appears which claims the victim’s system is missing a crucial .DLL file. In the background, the malware is fetching a secondary payload, dubbed ProcessHacker, from an external website. This payload is responsible for modifying the HOSTS file on the target machine. 

The malware’s piracy website blocking process is rudimentary, as it simply adds a list of between a few hundred to over 1,000 web domains and points them to a localhost address. Oddly, some websites that are on the block list have nothing to do with piracy.However, on modern machines, privileges may be required to modify the HOSTS file and not every sample triggered Windows systems to escalate the malware’s privileges. When this escalation didn’t occur, the HOSTS file modification failed.  “Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address,” Sophos says. “It’s crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they’ve been added to the HOSTS file.” In some of the malware packages, the operator added files bundled with the installer, likely to improve its look of legitimacy as a pirate software package. Most of these files are junk code and garbage images, although a common .nfo file contained racist slurs.  “On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely-compiled anti-piracy vigilante operation,” Brandt commented. “However, the attacker’s vast potential target audience — from gamers to business professionals — combined with the curious mix of dated and new tools, TTPs, and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky.”While the malware is crude and doesn’t have a major impact on users — unless they are fans of cracked software or pirate content — if the HOSTS file has been modified, Sophos says it can be cleaned up by running Notepad as an administrator, opening up c:WindowsSystem32Drivers etchosts, and removing references. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More