Information Technology

Credit: Microsoft
Microsoft is continuing to roll out more vertical cloud packages tailored for specific vertical industries. On February 24, the company announced three more of these “industry clouds” for financial services, manufacturing and nonprofit. These supplement the already-announced Microsoft cloud packages for healthcare and retail.These industry clouds package together common data models, cross-cloud connectors, workflows, application programming interfaces and industry-specific components and standards. They are designed for use with Azure, Microsoft 365, Dynamics 365, Power Platform tools and other Microsoft services and are meant to connect front-end productivity tasks to backend data management, officials said.
Also: Top cloud providers in 2021: AWS, Microsoft Azure, and Google Cloud, hybrid, SaaS players”Other industry clouds are just about one business process or one use case,” said Alysa Taylor, Corporate Vice President of Business Applications and Global Industry.Microsoft, for its part, is pulling together multiple scenarios into a single vertical cloud. In the past, systems integrators inside and outside companies would be the ones creating these kinds of templates and custom solutions. But the company still is looking to involve partners in extending and tailoring these cloud packages, Taylor said.There are productivity and security pieces that are common across Microsoft’s vertical clouds, such as Teams collaboration, Office apps and Power BI analytics. Engineering teams from Office, Dynamics, Azure and other parts of the company are meeting bi-weekly to build out these vertical clouds, Taylor said. But there are also capabilities in each that are unique to specific industries.The Microsoft Cloud for Financial Services, for example, includes features such as a prebuilt Loan Manager and Banking customer engagement. The public preview of the Financial Services cloud is slated for March 2021.The Microsoft Cloud for Manufacturing will adhere to standards from the OPC Foundation, Open Manufacturing Platform and Digital Twins Consortium. The Manufacturing Cloud will be available for public preview by the end of June 2021.And the Microsoft Cloud for Nonprofit includes donor-management, volunteer management and fundraising functionality. The public preview is slated to be out by the end of June.Microsoft also announced today that its previously announced Microsoft Cloud for Retail will be in public preview as of March 2021. And the first update to the Microsoft Cloud for Healthcare will be available in April, which will add support for eight new languages, plus features for virtual health, remote patient monitoring, care coordination and patient self-service.
Taylor said Microsoft is in the planning phase right now to determine which additional verticals it will be targeting with industry clouds in the coming months. More

A botnet used for illicit cryptocurrency mining activities is abusing Bitcoin (BTC) transactions to stay under the radar. 

According to new research published by Akamai on Tuesday, the technique is being harnessed by operators of a long-running cryptocurrency mining botnet campaign, in which BTC blockchain transactions are being exploited to hide backup command-and-control (C2) server addresses. 
Botnets rely on C2 servers to receive commands from cyberattackers. Law enforcement and security teams are constantly finding and taking down these C2 servers in order to render campaigns defunct — but if backups are in play, takedowns can be more difficult. 
Akamai says that botnet operators are able to hide backup C2 IP addresses via the blockchain, and this is described as a “simple, yet effective, way to defeat takedown attempts.”
The attack chain begins with the exploit of remote code execution (RCE) vulnerabilities impacting software including Hadoop Yarn and Elasticsearch, such as CVE-2015-1427 and CVE-2019-9082. 
In some attacks, rather than outright system hijacking, RCEs are also being modified to create Redis server scanners that find additional Redis targets for cryptocurrency mining purposes. 
A shell script is deployed to trigger an RCE on a vulnerable system and Skidmap mining malware is deployed. The initial script may also kill off existing miners, modify SSH keys, or disable security features. 

Cron jobs — time-based job schedulers — and rootkits are used to maintain persistence and further distribute the malware. However, in order to maintain and re-infect target systems, domains and static IP addresses are used — and these addresses are eventually identified and killed by security teams. 
“Predictably these domains and IP addresses get identified, burned, and/or seized,” the researchers say. “The operators of this campaign expected this and included backup infrastructure where infections could fail over and download an updated infection that would, in turn, update the infected machine to use new domains and infrastructure.”
In December, Akamai noted a BTC wallet address was being included in new variants of the cryptomining malware. Additionally, a URL for a wallet-checking API and bash one-liners were found, and it appears that the wallet data being fetched by the API was being used to calculate an IP address. 
This IP address is then used to maintain persistence. The researchers say that by fetching addresses via the wallet API, the malware’s operators are able to obfuscate and stash configuration data on the blockchain. 
“By pushing a small amount of BTC into the wallet, they can recover infected systems that have been orphaned,” Akamai says. “They essentially have devised a method of distributing configuration information in a medium that is effectively unseizable and uncensorable.”
To convert wallet data into an IP address, the operators use four bash one-liner scripts to send an HTTP request to the blockchain explorer API for the given wallet, and then the Satoshi values — the smallest, pre-defined value of BTC units — of the most recent two transactions are then converted into the backup C2 IP. 
“The infection is using the wallet address as a DNS like record, and the transaction values as a type of A record,” Akamai explains. “In Fig. 2 [below], the variable aa contains the Bitcoin wallet address, variable bb contains the API endpoint that returns the latest two transactions used to generate the IP address, and variable cc contains the final C2 IP address after the conversion process is completed. To achieve this conversion, four nested Bash one-liners (one each, per-octet) are concatenated together. While the mess of cURLs, seds, awks, and pipes is hard to make sense of at first glance, it’s a fairly simple technique.”

Bash script example of Satoshis to C2 IP conversion
Akamai
Akamai estimates that to date, over $30,000 in Monero (XMR) has been mined by the operators.
“The technique isn’t perfect,” the researchers noted. “There are improvements that can be made, which we’ve excluded from this write-up to avoid providing pointers and feedback to the botnet developers. Adoption of this technique could be very problematic, and it will likely gain popularity in the near future.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla, the maker of the Firefox browser, has rolled out a feature called Total Cookie Protection as part of its Enhanced Tracking Protection “Strict Mode” that promises to stifle cross-site tracking. 
If you’re bugged by companies using cookies to track your online activities across websites, Mozilla might have an answer.  

More on privacy

“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” Mozilla says in a new blogpost. 
SEE: Network security policy (TechRepublic Premium)
The feature is available as part of Firefox’s feature called Enhanced Tracking Protection.
Mozilla argues that most browsers allow cookies to be shared between websites, allowing marketing folks to “tag” a browser and track the user as they browse across sites. 
“This type of cookie-based tracking has long been the most prevalent method for gathering intelligence on users. It’s a key component of the mass commercial tracking that allows advertising companies to quietly build a detailed personal profile of you,” Mozilla says. 

Apple introduced Intelligent Tracking Prevention (ITP) last year to Safari via its WebKit project in order to block all third-party cookies in Safari by default.
Mozilla embarked on its own take on this technology to tackle the online ad businesses in 2019. Privacy is one of the key pillars that Mozilla is using to differentiate itself from a web that’s increasingly dominated by the Chromium project, which has seen even Microsoft migrate its Edge browser to Google’s browser. 
Mozilla says the Total Cookie Protection provides a separate “cookie jar” for each website that’s visited. 
“Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website,” Mozilla says. 
SEE: Phishing: These are the most common techniques used to attack your PC
Cookies, however, are useful for purposes such as logging in easily to a website that was visited in the past. Mozilla’s Total Cookie Protection will support this use of cookies. The exception is based around an expression from the user that they intended to use a particular site. 
“Total Cookie Protection makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers,” Mozilla notes.  
“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.” More

The founder of the Start Options and Bitcoiin2Gen (B2G) digital asset investment platforms has been indicted on charges of investor fraud and money laundering. 

The US Department of Justice (DoJ) said on Tuesday that Kristijan Krstic, a Serbian national, has been charged in an indictment for allegedly participating in international, cryptocurrency-related fraud. 
According to the complaint, the 45-year-old founded two platforms, Start Options and B2G, and also served as the Chief Financial Officer (CFO) of Start Options.
It has been alleged that between roughly 2017 and 2018, Krstic and co-conspirators targeted investors in the United States, luring them to purchase securities in the form of investment contracts in both companies, marketed as successful trading services.
Prosecutors say that Start Options claimed to be a digital asset trading service that was “the largest Bitcoin (BTC) exchange in euro volume and liquidity,” apparently “consistently rated the best and most secure Bitcoin exchange by independent news media.”
B2G touted itself as an “ecosystem” for trading tokens, digital, and fiat currencies, and also offered a form of wallet for storing and managing cryptocurrencies. 
Both companies, however, are allegedly scams, according to the indictment. 

“The money sent by investors in Start Options and B2G allegedly was never invested and instead was laundered internationally to a Phillippines-based financial account and digital currency wallet, and diverted to a US-based promoter of the fraud,” the DoJ claims. 
In addition, in 2018, the DoJ says that Start Options investors trying to redeem their funds were told of a time-sensitive “opportunity” to roll over their funds and participate in an Initial Coin Offering (ICO) for BG2 tokens. 
“Start Options investors were forced to take part in this “opportunity,”” prosecutors allege, adding that “all Start Options investors’ accounts were rolled into new B2G accounts, and even those Start Options investors who tried to decline the “opportunity” were unable to cash in their shares.” 
Approximately $7 million of these proceeds was allegedly transferred from the promoter to Krstic — who then stopped communicating with investors and “absconded” with the cash — while Start Options claimed that the company had been sold to a Russian venture capitalist.
The US Securities and Exchange Commission (SEC) estimates that “hundreds” of investors may have been defrauded out of as much as $11 million through the “fraudulent and unregistered digital asset securities offerings.”
The DoJ added that Krstic used the alias “Felix Logan” when communicating with investors in both companies. According to his alleged Twitter handle, which has posted a variety of Bitcoin-related content and messages, “Logan” left his post at Start Options in 2018.
Charges filed with the US Eastern District of New York court on Tuesday accuse Krstic of one count of securities fraud and conspiracy to commit securities fraud, one count of conspiracy to commit wire fraud, and one count of conspiracy to commit money laundering.
John DeMarr, the ex-director of North American Operations for both companies — and a former private investigator — has been previously charged for his alleged participation. 
On February 1, 2021, the SEC charged Krstic and DeMarr with violating antifraud and registration laws. The US agency is seeking damages, disgorgement of proceeds, penalties, and an officer/director ban for both individuals. 
In addition, the SEC has also charged Robin Enos, who was allegedly drafted in to create promotional materials for the firms. Prosecutors say that Enos knew the content would be presented to investors and the material allegedly contained false statements — such as the use of investor funds toward mineable coins, and the claim that the B2G coin would be offered on the Ethereum blockchain. 
“Bitcoiin2Gen was a sham, and Krstic and DeMarr allegedly misappropriated millions of dollars of investor funds for their own personal benefit,” the SEC says. 
“The conduct alleged in this action was a blatant attempt to victimize those interested in digital asset technology and these defendants should be held accountable,” commented Kristina Littman, the SEC Enforcement Division Cyber Unit chief. “In reality, we allege, these ventures were fraudulent enterprises aimed simply at misappropriating funds from investors.”
In January, a US resident and former journalist, Jerry Ji Guo, was jailed for six months based on claims that he pretended to be a cryptocurrency and Initial Coin Offerings (ICOs) consultant to conduct investor fraud.
According to the DoJ, the 33-year-old promised investors that he would perform “consultancy, marketing, and publicity services” in return for crypto and cash investments, but these services never materialized. Guo must also pay $4.4 million in damages.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyberattacks against healthcare organizations have doubled during the coronavirus pandemic, research suggests. 

On Wednesday, IBM released the company’s annual X-Force Threat Intelligence Index, which analyzed data from the previous year to track the evolution of new threats, malware development, and cyberattacks. 
The 2021 index includes some notable trends, perhaps the most significant being how many threat actors pivoted their campaigns toward organizations involved in fighting the COVID-19 pandemic during 2020. 
According to IBM researchers, attacks against organizations crucial to coronavirus research and treatment experienced double the ‘usual’ rate of attacks in 2020. These entities include hospitals, pharmaceutical manufacturers, medical companies, and energy firms involved in the COVID-19 supply chain. 
IBM believes that this change in focus is due to cyberattackers banking on the fact that these organizations could not — and still cannot — afford any downtime that could impact COVID-19 programs. As a result, victims may be more likely to pay up, for example, when ransomware is deployed. 
According to the tech giant, manufacturing and the energy sector were second only to finance and insurance when it comes to the most attacked industries worldwide last year. Of particular note, too, is a close to 50% increase in attacks exploiting vulnerabilities in industrial control systems (ICS).

“In essence, the pandemic reshaped what is considered critical infrastructure today, and attackers took note. Many organizations were pushed to the front lines of response efforts for the first time — whether to support COVID-19 research, uphold vaccine and food supply chains, or produce personal protective equipment,” commented Nick Rossmann, Global Threat Intelligence Lead at IBM Security X-Force. “Attackers’ victimology shifted as the COVID-19 timeline of events unfolded, indicating yet again, the adaptability, resourcefulness, and persistence of cyber adversaries.”

Over the course of 2020, ransomware became the most popular attack method, claiming 23% of all incidents analyzed by IBM. Sodinokibi was the most prolific ransomware family in use, raking in a “conservative estimate” of at least $123 million in the past year for its operators — and with up to two-thirds of victims giving in, and paying up.
Double extortion, in which a victim organization’s systems are infected with ransomware, a blackmail payment is demanded, and attackers threaten to leak stolen data, is also becoming more popular. 
The report also found a 40% increase in Linux-based malware families and a 500% surge in malware written in the Go programming language. 
“Similar to hybrid cloud’s playbook to “write once, run anywhere,” attackers are using malware that can more easily run on various platforms, including cloud environments,” IBM added. 
Other points of interest include:
Collaboration tool spoofing: Many of the most spoofed brands over 2020 offer remote collaboration tools, including Google, Dropbox, and Microsoft.
Open source: Threat actors are turning to open source malware more frequently than before, with APT28, APT29 and Carbanak among users.
Cryptomining: Over 2020, there was a 13% increase in new code in Linux cryptocurrency mining malware.
Scanning: Scan-and-exploit attack vectors were the most common way for threat actors to compromise a system last year, surpassing phishing for the first time in years. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In terms of money, Red Hat buying StackRox probably isn’t that big a deal. Sources say it was just above $100 million. Big money to you and me, but peanuts for big tech companies. But, when it comes to securing Kubernetes, this is an enormous deal not just for Red Hat and its in-house Kubernetes distro, OpenShift, but for all Kubernetes distros and services.

Open Source

That’s because StackRox’s software does an exceptional job of providing visibility across Kubernetes clusters by deploying components for enforcement and data collection directly into the Kubernetes cluster infrastructure. StackRox also provides a policy engine that includes hundreds of built-in controls to enforce security best practices, industry standards, and configuration management.
With StackRox, Red Hat said it would focus on improving security for cloud-native workloads by expanding and refining Kubernetes’ native controls, and shifting security into the container build and CI/CD phase.
Best of all, Red Hat will be open-sourcing StackRox’s technology. In addition to OpenShift, StackRox will continue to support multiple Kubernetes platforms, including Amazon Elastic Kubernetes Service, Microsoft Azure Kubernetes Service, and Google Kubernetes Engine.
Red Hat is also expected to integrate StackRox’s security measures with its container registry Quay. This will enable you to ensure security in your application pipelines, including your existing container image scanning and continuous integration, continuous delivery, and continuous deployment (CI/CD) programs.
Red Hat will also be getting KubeLinter, StackRox’s newly open-sourced lint-style analysis program for Kubernetes YAML files and Helm charts. This will also prove very useful for both securing and cleaning up cloud-native programs.
After all, as Red Hat CEO Paul Cormier said, “Securing Kubernetes workloads and infrastructure cannot be done in a piecemeal manner; security must be an integrated part of every deployment, not an afterthought. Red Hat adds StackRox’s Kubernetes-native capabilities to OpenShift’s layered security approach, furthering our mission to bring product-ready open innovation to every organization across the open hybrid cloud across IT footprints.”

Ashesh Badani Red Hat’s senior VP of Cloud Platforms, added after the deal was completed that:

Over the past several years we have paid close attention to how our customers are securing their workloads, as well as the growing importance of GitOps to organizations. Both of these have reinforced how critically important it is for security to “shift left” – integrated within every part of the development and deployment lifecycle and not treated as an afterthought. With StackRox, we will be working to add security into container build and CI/CD processes. This helps to more efficiently identify and address issues earlier in the development cycle while providing more cohesive security up and down the entire IT stack and throughout the application lifecycle. 

It’s not just Red Hat that thinks well of this acquisition. 451 Research likes it too. “For those looking to secure complex environments, they need more than security features alone — there’s a need for visibility across many environments, compliance management, threat detection, incident response, and much more,” it said. That’s exactly what StackRox software offerings will give Red Hat and other companies’ Kubernetes-based hybrid-clouds and programs.
Related Stories: More

A new Online Safety Bill that extends the cyber takedown function to adults and cuts takedown response times in half has made its way into Australian Parliament.
As detailed in the Online Safety Bill 2021, the new scheme, based on the existing cyber bullying scheme for children, provides a mechanism for those experiencing the most seriously harmful online abuse to have this material removed from the internet. It empowers Australia’s eSafety Commissioner to order the removal of such material when websites, social media, and other online services fail to do so after a complaint is made.
The eSafety Commissioner will have the power to issue takedown notices directly to the services, and also to the end users responsible for the abusive content.
“The sharing of intimate images without consent is a terrible thing to do and causes great distress to victims,” Communications Minister Paul Fletcher said, introducing the Bill on Wednesday.  
The Bill also expands the cyberbullying scheme for children, enabling eSafety to order the removal of material from further online services such as games, websites, messaging, and hosting services — not just social media platforms.
Online platforms will also now see the amount of time that they have to pull down content after receiving a missive from eSafety halved — from 48 hours down to 24.
If a website or app systemically ignores takedown notices for class one material under the online content scheme, such as child sexual abuse material, the eSafety Commissioner can require search engines and app stores to remove access to that service.

These protections will be backed by civil penalties — up to AU$550,000 for companies and AU$111,000 for individuals.
The Bill also introduces basic online safety expectations for digital platforms, Fletcher said. These expectations will apply to service providers including social media, messaging apps and games, and designated internet services, such as websites, he explained.
The Bill allows the responsible minister to determine the details of these expectations by legislative instrument. The minister may also determine that the expectations apply to specific services.
“We expect that service providers will take reasonable steps to ensure that Australians are able to use their service in a safe manner,” Fletcher said. “We expect that services are not able to be used to bully abuse or humiliate Australians, and we expect the service providers will provide clear and readily identifiable mechanisms for users to report and lodge complaints about unacceptable use.”
See also: Australian Senators want digital giants ‘reined in’ beyond Media Bargaining Code
eSafety also receives the power to publish statements about the performance of digital platforms in meeting the government’s expectations.
“The intent is to drive an improvement in the online safety practices of digital platforms where they fall short,” Fletcher continued.
“The Australian government believes the digital industry must step up and do more to keep their users safe.”
As a result, the Bill will require new and updated industry codes to be developed, such as those preventing children from setting up online accounts without the consent of an adult, providing access to a filtered internet service if desired by a user, and providing information about online safety and procedures for dealing with prohibited and illegal online content.
“We expected each section of the online industry will produce updated and strengthened industry codes within six months of the commencement of this Bill,” the minister said.
The Bill reforms the online content scheme so that class one material or material which is so abhorrent that it would be refused classification will no longer need to be reviewed and classified by the classification board before eSafety can order its removal.
It also provides the commissioner with the power to issue takedown notices to providers of particularly egregious illegal content such as child sexual exploitation material that is hosted outside of Australia, and which can be accessed by end users in Australia.
The commissioner will also receive the capability to prevent search engines from being the conduit to illegal online content, giving the power to issue a link deletion notice requesting the search engine cease providing a link to the material within 24 hours.
Further, the Bill allows eSafety to issue app removal notices that give app stores one day to remove apps that facilitate the posting of class one material.
Following the eSafety Commissioner in September 2019 issuing a direction to the nation’s ISPs to continue blocking websites that host the video of the Christchurch terrorist attack, and agreeing on new protocols with ISPs in March to block such content, the new Bill offers further action.
It introduces a specific and targeted power for the eSafety Commissioner to direct ISPs to block certain domains containing terrorist or extreme violent material, for time-limited periods, in the event of an online crisis event.
“The commissioner would need to consider the nature and likely reach of the material depicting, promoting, inciting, or instructing in abhorrent violent conduct and be satisfied that it would likely cause significant harm to the Australian community, and that an urgent response is required,” Fletcher said.
Where anonymous accounts are used to exchange disturbing or illegal content, or to hurl abuse, the Bill clarifies and strengthens the information gathering and investigative powers of eSafety to unmask their identities.
It allows the commissioner to require that social media services, relevant electronic services, and designated internet services provide identity and contact information about end users in relation to cyber bullying, cyber abuse, image-based abuse, or prohibited online content.
Civil penalties will apply to services that fail to comply with a written notice from the commissioner.
“We all enjoy standards of behaviour and civility in the town square that keep us safe and there are appropriate mechanisms and sanctions for those who break those rules; the Australian government believes that the digital town square should also be a safe place, and that there should be consequences for those who use the internet to cause others harm,” Fletcher said. “This Bill contains a comprehensive set of measures designed in accordance with this belief.”
Introduced simultaneously was the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021 [PDF], which repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety Act.
“The Online Safety Bill will become the new enabling legislation for Australia’s eSafety Commissioner, and will strengthen and extend the commissioner’s powers to keep Australians safe online,” Fletcher said, noting many factions will be transitioned to the new Act to create a single Act.
Among other things, the Bill increases maximum penalties from three years imprisonment to five years. Making changes to parts of the Criminal Code Act 1995, the Act seeks to punish offenders that continue to offend with higher penalties.
“These changes reflect the Australian public’s expectation that the punishment for this type of conduct should be commensurate with the seriousness of the offence,” Fletcher said.
The draft consultation on the Bill received 370 submissions.
RELATED COVERAGE More

Image: SAAB
Canadian airplane manufacturer Bombardier has disclosed today a security breach after some of its data was published on a dark web portal operated by the Clop ransomware gang.

“An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network,” the company said in a press release today.
While the company did not specifically name the appliance, they are most likely referring to Accellion FTA, a web server that can be used by companies to host and share large files that can’t be sent via email to customers and employees.
In December 2020, a hacking group discovered a zero-day in the FTA software and began attacking companies worldwide. Attackers took over systems, installed a web shell, and then stole sensitive data.
In a press release yesterday, Accellion said that 300 of its customers were running FTA servers, 100 got attacked, and that data was stolen from around 25.
The attackers then attempted to extort the hacked companies, asking for ransom payments, or they’d make the stolen data public, according to security firm FireEye.
Starting earlier this month, data from some old FTA customers began appearing on a “leak site” hosted on the dark web, where the Clop ransomware gang would usually shame the companies who refused to pay its decryption fees.

Data from geo-spatial data company Fugro, tech firm Danaher, Singapore’s largest telco Singtel, and US law firm Jones Day was published on the site so far.
Today, Bombardier’s name was added to the list, which prompted the airplane maker to go public with its security breach.
Data shared on the site included design documents for various Bombardier airplanes and plane parts. No personal data was shared, but the airplane maker is most likely livid that some of its private intellectual property is now being offered as a free download on the dark web.
FireEye said in a report today that the FTA hacking campaign and the subsequent extortion efforts are carried out by a major cybercrime group which the company is tracking as FIN11, a group that has had its fingers in various forms of cybercrime operations for the past years. More