Information Technology

Attackers behind the malware known as SolarMarker are using PDF documents filled with search engine optimization (SEO) keywords to boost their visibility on search engines in order to lead potential victims to malware on a malicious site that poses as Google Drive. 

ZDNet Recommends

According to Microsoft, SolarMarker is a backdoor malware that steals data and credentials from browsers. SEO poisoning is an old-school technique that uses search engines to spread malware. In this case, the attackers are using thousands of PDFs filled with keywords and links that redirect the unwary across multiple sites towards one that installs the malware. “The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”,” said Microsoft Security Intelligence in a tweet.    Crowdstrike raised an alarm about SolarMarker in February for using the same SEO poisoning tactics. The malware predominantly targeted users in North America. The attackers were hosting pages on Google Sites as lures for the malicious downloads. The sites were promoting document downloads and were often highly ranked in search results, again to boost search ranking. Microsoft researchers found the attackers have started using Amazon Web Services (AWS) and Strikingly’s service as well as Google Sites. 

“When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga,” Microsoft said. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file.” This typically leads to the SolarMarker/Jupyter malware, but Microsoft has also seen random files being downloaded as part of an apparent method to dodge detection, it added. It exfiltrates stolen data to a command-and-control server and persists by creating shortcuts in the Startup folder as well as modifying shortcuts on the desktop.

“Microsoft 365 Defender data shows that the SEO poisoning technique is effective, given that Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments,” Microsoft said. More

Ransomware is one of the key cybersecurity threats facing the UK and the cyber criminal groups behind them are becoming more dangerous, the UK’s cyber chief is to warn.Lindy Cameron, the head of the National Cyber Security Centre (NCSC) will say that the organisation – the cyber security arm of spy agency GCHQ – is committed to tackling the threat of ransomware and “supports victims of ransomware every day” but that a coordinated response is required to combat the growing threat.While state-sponsored hacking campaigns pose a “malicious strategic threat to the UK’s national interests”, it’s cyber crime – and in particular ransomware – which has become the biggest threat.”For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals,” Cameron is due to say in a speech to the Royal United Services Institute (RUSI) defence and security think tank.SEE: Network security policy (TechRepublic Premium)Recent incidents like ransomware attacks against like Colonial Pipeline and meat processor JBS, as well as the ransomware attack against the Irish healthcare service, have demonstrated how disruptive these cyber criminal campaigns can be to critical services.Meanwhile, UK organisations including businesses, government agencies, schools and universities have all fallen victim to ransomware attacks this year.

Not only are cyber criminal ransomware groups encrypting networks and demanding a significant payment in exchange of the decryption key, now it’s common for them to also steal sensitive information and threaten to release it unless a ransom is paid – often leading victims to feel as if they have no choice but to give in to the extortion demands.”As the business model has become more and more successful, with these groups securing significant ransom payments from large profitable businesses who cannot afford to lose their data to encryption or to suffer the down time while their services are offline, the market for ransomware has become increasingly professional,” Cameron will say.Ransomware is successful because it works; in many cases because organisations still don’t have the appropriate cyber defences in place to prevent cyber criminals infiltrating their network in the first place in what the NCSC CEO described as “the cumulative effect of a failure to manage cyber risk and the failure to take the threat of cyber criminality seriously”.But another reason it has become such a problem, particularly for the West, is because many of the most successful ransomware groups are working out of what Cameron described as “overseas jurisdictions who turn a blind eye or otherwise fail to act to pursue these groups”.Russia in particular is thought to be home to a number of cyber criminal ransomware groups, but the government doesn’t act on their activity because they’re not harming Russian businesses or citizens.”These criminals don’t exist in a vacuum. They are often enabled and facilitated by states acting with impunity,” she said. SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upHowever, Cameron will say it’s possible to fight against the blight of ransomware by combining the efforts of cybersecurity experts, the government and with wider international cooperation.”In some respects, our response to ransomware is straightforward: we need to continue to build the UK’s cyber resilience so that attacks cannot reach their targets in the first place,” she said.”But in many other respects it requires a whole of government response. This starts with the efforts to prevent the activities of the groups behind these damaging attacks”.However, ransomware isn’t just a problem for the UK alone and Cameron urged the importance of working with other countries to tackle what’s truly an international problem.MORE ON CYBERSECURITY More

The United States and other G7 countries have warned countries that allow ransomware groups to operate from within their borders, and don’t make any efforts to deter their actions, that they will be held accountable for their lack of action. The warning comes as the leaders of the G7 group of countries have jointly announced a commitment to fight what they described as the global challenge of ransomware.

ZDNet Recommends

The declaration – made by Canada, France, Germany, Italy, Japan, the United Kingdom and the United States at the G7 Summit in Cornwall, England – follows a string of high-profile ransomware attacks. SEE: Network security policy (TechRepublic Premium) Organisations that have had their networks encrypted by ransomware in recent weeks include Colonial Pipeline and meat processor JBS. Colonial paid cyber criminals over $4 million in Bitcoin in exchange for the decryption key for DarkSide ransomware, while JBS paid $11 million after getting hacked and having their network encrypted with REvil ransomware. Such is the extent of the problem that US President Joe Biden and the other G7 leaders have vowed to combine forces in an effort to combat ransomware attacks. “We’ve agreed that we’re going to work together to address cyber threats from state and non-state actors like criminal ransomware networks, and hold countries accountable that harbor criminal ransomware actors who don’t hold them accountable,” said President Biden.

A joint statement published following the G7 Summit specifically calls out Russia to do more when it comes to stopping cyberattacks and to “identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cyber crimes”. Many of the most notorious ransomware gangs are suspected to operate out of Russia and the consensus among cybersecurity experts is that Russian cyber criminals are allowed to conduct their operations, so long as they don’t target Russians. SEE: This new ransomware group claims to have breached over 30 organisations so far The G7 countries have also vowed to ensure that organisations – particularly those operating critical infrastructure – are secure against cybersecurity threats like ransomware. “The international community—both governments and private sector actors—must work together to ensure that critical infrastructure is resilient against this threat, that malicious cyber activity is investigated and prosecuted, that we bolster our collective cyber defenses, and that States address the criminal activity taking place within their borders,” said a White House statement. “The United States and our G7 partners are committed to working together to urgently address the escalating shared threat from criminal ransomware networks,” the statement added.

MORE ON CYBERSECURITY More

The US Securities and Exchange Commission (SEC) has charged a Florida national for his alleged role in three separate securities fraud scams. 

Edgar Radjabli, a former dentist, controlled Apis Capital Management LLC., marketed as an advisory firm that the SEC says was unregistered. Through this company, Radjabli allegedly controlled Apis Tokens as a managing partner, an offering called the “first tokenized hedge fund” which was based on the Stellar platform.  Apis Tokens were touted as a way for investors to access the ACM Market Neutral Volatility Strategy fund by converting cryptocurrency including Bitcoin (BTC) and Ethereum (ETH) into Apis Tokens and stakes in the fund.  “The offering model of the Apis Token is different from a traditional ICO, as it allows investors to subscribe throughout the month, with the funds collected deployed at month’s end and the tokens simultaneously issued to investors,” the company claimed. In June 2018, Apis Capital said that $1.7 million in funds had been raised and was “allocated to the strategy.” However, the SEC says that no money at all had been secured. By November, the organization said it intended to buy the blockchain AI division from White Company, and in December, Apis Capital claimed that the firm’s investment arm, Apis Ventures, was planning to buy Veritone for $200 million. 

The claimed deal placed Veritone shares at $10.26 per share, a 93% premium over the closing price on December 7, 2018.  “We are committed to completing this transaction and remain willing to work cooperatively with Veritone,” Radjabli said in a press release at the time. “Our vision for the company involves significant synergy with our growing portfolio of AI and machine learning investments, opening up new opportunities for Veritone’s technology.” Veritone is a publicly traded developer of operating systems for artificial intelligence (AI) solutions.  According to US regulators, “in truth, Radjabli and Apis Capital lacked the financing or any reasonable prospect of obtaining the financing necessary to complete the deal.” Instead, by hyping investor interest with a 93% premium price offering, shares surged — and Radjabli allegedly claimed $162,800 in profit by trading Veritone stock through both Apis Capital and an affiliated fund.  The fraudulent fund claim and the pump-and-dump stock scheme were also joined by a third scam allegedly pulled off by the ex-dentist, who also managed to raise close to $20 million from over 450 investors in an unregistered, fraudulent securities offering. The SEC says that Radjabli launched the offering through My Loan Doctor and told traders that cash raised would be used to find and sell on loans made to healthcare professionals to large investors. Instead, however, the bulk of the funds were allegedly invested in uninsured and unsecured loans, and close to $1.8 million was sent to Apis Capital. Radjabli, Apis Capital, and Loan Doctor have been charged with violating antitrust and securities laws.  A settlement has been agreed, subject to court approval, in which Radjabli and the two entities must pay $600,000 in damages. Conduct-based injunctions would also be put in place and Radjabli would be banned from penny stocks and the securities industry as a whole, if accepted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Volkswagen has revealed a data breach impacting over 3.3 million customers.

The majority of impacted individuals are either current or prospective buyers for Audi vehicles. 163,000 individuals are in Canada, whereas the rest are in the United States. On Friday, the automaker said that a compilation of data used for sales and marketing purposes between 2014 and 2019 was left unsecured and exposed online “at some point” between August 2019 and May 2021, although the exact timeline has not been established.  An associate vendor has been identified as the source of the breach but the company has not been named. Audi and Volkswagen were alerted that “an unauthorized third party” may have accessed this information on March 10.  Volkswagen says that first and last names, personal and/or business mailing addresses, email addresses, and phone numbers may have been exposed in the breach, alongside information concerning “vehicle[s] purchased, leased, or inquired about,” such as vehicle ID numbers, makes, models, years, and colors. Volkswagen has informed relevant authorities and law enforcement of the data breach. 

Reuters reports that regulators have been told that the majority of records only relate to phone numbers and email addresses, however, roughly 90,000 Audi customers and potential buyers in the US may have had purchase and lease eligibility data compromised, such as driving license numbers, dates of birth, Social Security numbers, account or loan numbers, and tax identification numbers.  Individuals whose sensitive data has been exposed will be offered free credit monitoring through an enrollment code.  The company says that anyone notified, but not offered this code, did not have information deemed sensitive compromised and so should stay alert for phishing emails or spam based on any of the basic data leaked.  Emails or letters may also be sent to those involved in the security incident who were not direct customers or prospective buyers.  “In a limited number of cases, an Audi or Volkswagen customer or interested buyer provided names and contact information for a relative or personal reference to an authorized dealer for purposes of seeking financing of some kind,” notification partner IDX says.  Volkswagen says that external cybersecurity experts have been pulled in to investigate the incident.  “Audi and Volkswagen are working with third-party cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor involved,” the firms say.  A help hub has been set up by IDX for those who believe they have been impacted by the data breach.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack. 

The San Francisco-based DevOps tool provider said in a blog post that the new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS. The uploader, used in the same manner as the existing Bash uploader, is used to push coverage data and updates to products during development cycles. The uploader is currently in the Beta stage and so is yet to be fully integrated, but Codecov says that “most standard workflows that are currently accomplished with the Bash Uploader can be accomplished with the new uploader.” Codecov’s Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15. By infiltrating Codecov’s network and hijacking the Bash uploader, the threat actors ensured that rather than pushing “healthier” code during project updates, as Codecov intends, users were, instead, subject to the theft of information stored in their continuous integration (CI) environments. The attack may have also allowed the attackers to “raid additional resources,” according to investigators brought in after the breach was made public — including credentials, potentially leading to wider network compromise in some cases. It is thought that hundreds of organizations may have become embroiled in the security incident. Known victims include Rapid7, Monday.com, Mercari, and Twilio. 

Codecov’s Bash uploader range — the Codecov-actions uploader for Github, CircleCl Orb, and Bitrise Step — were all impacted.  The company says that with the introduction of the new uploader, all other language-specific uploaders will be depreciated, with “special attention” paid to the Bash uploader at fault.  Codecov has been working on the NodeJS uploader for eight months, originally to reduce the increasing complexity of facilitating uploads and maintenance as the Codecov customer base increased.  Now that the Bash script is tied to a severe security incident, however, the upgrade has become an urgent necessity.  “The distribution mechanism of choice (i.e., curl pipe to bash) while incredibly convenient, is notoriously problematic from a security perspective,” Codecov said. “The weaknesses of the curl | bash approach came to the forefront during [the] recent security event.” The new uploader is now available for public use under the Beta umbrella and includes a more secure, verifiable distribution architecture, protections against unauthorized code modification, and an improved CI/CD pipeline for conducting automated testing of the uploader on Windows, Linux, and macOS. Codecov hopes to depreciate the Bash uploader from November, with a full sunset of the system planned for after February 1, 2022. The organization has also outlined other security improvements in the wake of the attacks.    Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybersecurity readiness firm Immersive Labs has announced a $75 million Series C round, with investments from Citi Ventures, Menlo Ventures and follow-on from Goldman Sachs Asset Management. The company helps organizations analyze their cybersecurity “across technical and non-technical teams” while also providing tools to help improve cyber training. Immersive Labs is now marketing a new “Cyber Workforce Optimization” platform that will strive to provide a slate of services related to identifying cybersecurity gaps in an enterprise. “From crisis management with executives, to secure software development amongst engineers and ensuring compliance in legal teams, the platform will use data insights to understand where skills are required and inject role specific training,” the company said of their services in a statement. “It will also enable board-level metrics and benchmarking.” The company has already received $48 million in venture funding and the platform is being used at companies like Vodafone and HSBC as well as organizations like the NHS in the UK.”While technology has traditionally been used to plug this gap, it is incapable of making nuanced decisions, thinking laterally, instilling culture, showing leadership or taking into account numerous other crucial factors,” James Hadley, CEO of Immersive Labs, told ZDNet. “We believe human intelligence deserves to reclaim its place alongside Artificial Intelligence in cybersecurity to help organizations build resilience and reduce risk.”Hadley said cybersecurity knowledge and skills should no longer be the “preserve of a few technical people hidden away in a back office.” 

He added that the new funding will allow the company to add “new analytical capabilities and content to provide a more detailed picture of skills across the growing breadth and depth of cyber exposure facing organizations, helping them measure and manage risk better.” Cyber knowledge, skills and capabilities, he said, are growing in demand across entire organizations and not only do security teams need continual upskilling, but developers need to know how to write secure code and teams need to hire the right talent. “This creates a need for skills in both technical and non-technical teams in a way that keeps pace with the attackers. To do this, first you need to understand where these gaps lie. Our platform is capable of collecting this information using our own online learning environments, where people are dropped into cybersecurity scenarios and exercises that cover all topics and roles, from a CEO wargaming a ransomware attack with their whole team to a front-line analyst individually reverse engineering malware,” Hadley explained. “By collecting information on who has been upskilled against which threats specific to their role and when, and cross-referencing this with metadata, we can provide an organization-wide view of skills capabilities.” The platform offers training sessions and gamified environments to help fill any skills gaps that are discovered during the analysis process. “This is a far more cost-effective and efficient way of training, speeding up the skills cycle in a way that is more relevant to today’s remote workforce and the threat at hand. It will also allow CISOs to report on skills levels to the board to make them a bigger part of overall business cyber resilience,” Hadley added. “At the heart of our platform are labs and crisis scenarios: gamified story-driven exercises accessible on-demand through the browser and suitable for a range of different roles and technical abilities. These are informed by emerging threat intelligence and are compiled by our team of in-house experts who specialize in everything from cyber crises to application security to encryption. New labs are created continually, sometimes within hours of a new threat emerging.”The company will use the recent funding influx to expand its footprint internationally and bring its global headcount to 600 within the next two years. There are also plans for regional operation centers in Europe and the Asia Pacific region. The company currently has headquarters in Boston and Bristol, with about 200 total employees. Venky Ganesan, a partner at Menlo Ventures, said the cybersecurity labor shortage made it important for organizations to get every employee up to speed on the latest threats. “Immersive Labs helps large organizations confront this head-on by combining smart data analysis with targeted training. The cybersecurity threat will only increase, making Immersive Labs future proof as they seek to help large enterprises educate and arm themselves against ever-evolving threats,” Ganesan said. Other investors, like Arvind Purushotham from Citi Ventures, echoed those ideas, noting that Immersive Labs’ work “creates visibility into and optimizes one of the most valuable assets in cyber defense, the human defenders.”  More

A big part of making security work is educating users about the importance of it, and how quickly (and usually effortlessly) the bad guys can take advantage of our mistakes.This is exactly what iVerify does. Must read: I just found my lost AirTag… you’ll never guess where it went

First and foremost, iVerify is a security scanner that makes sure you are making use of the basic security features such as Face/Touch ID, Screen Lock, and are running the latest iOS version. It also runs a device scan that looks for security anomalies and gives you a heads up if something seems out of place.It can be very hard to spot if an iPhone has been hacked, so having a tool installed that keeps an eye out for the telltale signs of intrusion offers piece of mind.iVerify is also packed with guides that looks at the many different security features built into iOS, and how you can take advantage of them to secure your iPhone (or iPad).There’s also a whole raft of other cool stuff, from information on securing your Apple, Facebook, Google, Instagram, Linkedin, and Twitter accounts, information on activating DNS over HTTPS, a periodic reboot reminder (a simple way to protect yourself from remote exploits), and even a page that offers the latest security news.

$3 at Apple Store

iVerify is a brilliant app that gets regular updates to keep the information fresh and up-to-date.iVerify is not free — it costs $2.99 — but it’s truly worth the money if you take security seriously. Even if you know your around iOS well, you’re likely to learn a few new things from going through all the guides contained in this app.iVerify requires iOS 13.0 or later or iPadOS 13 or later, and is compatible with iPhone, iPad, and iPod touch. More