Information Technology

Credit: Microsoft
Just weeks after announcing plans to shut down its Azure Blockchain as a Service offering, Microsoft is back with another Blockchain-powered take on the idea with its Azure Confidential Ledger service. Microsoft officials took the wraps off the public preview of Azure Confidential Ledger on the first day of its virtual Build 2021 developer conference on May 25.

Microsoft Build 2021

Azure Confidential Ledger, like the Azure Blockchain Service, builds on the idea that blockchain is a distributed ledger. Microsoft’s Azure Confidential Ledger (ACL) adds an extra layer of security and scalability on top of blockchain. ACL uses the Azure Confidential Computing Platform, meaning an instance of ACL runs in a dedicated and fully attested hardware-backed enclave. ACL is built on top of the Confidential Consortium Framework (CCF), which Microsoft officials showed off publicly in 2017. At that time, officials said the Coco (short for “confidential consortium”) Framework was meant to work with any ledger protocol and work on any operating system and hypervisor that supports a compatible Trusted Execution Environment (TEE), or secure area of a processor. The Framework was designed to be used on-premises and/or in various vendors’ clouds, officials said. Microsoft officials said ACL works well when users need audit logging and tracking of highly sensitive admin operations. They suggested that healthcare, financial and retail, information technology, supply chain monitoring and any business where contracts and deeds need to be exchanged securely would all be good candidates for ACL. I asked Microsoft if ACL should be considered the replacement for Azure Blockchain as a Service and got no direct reply. Instead, a spokesperson said “We are asking (Azure Blockchain Service) customers to transition to the ConsenSys Quorum Blockchain Solution. As industry dynamics have changed, we made the decision to shift our focus from a product-oriented offering to a partner-oriented solution.”  Update (May 25). And here’s the direct reply on positioning of ACL, courtesy of a spokesperson:”Azure Confidential Ledger doesn’t replace Azure Blockchain Service but is another distributed ledger that can be used by customers who want the maximum level of privacy afforded to them. With Azure Confidential Ledger, customers can take advantage of Azure’s Confidential Computing to harness the power of secure enclaves when setting up the distributed blockchain network. In comparison, ConsenSys Quorum Blockchain Service is built on ConsenSys Quorum, an open source technology that is fully compatible with Azure Blockchain Service and will provide a seamless migration experience for users.”  More

Attacks on control processes, such as systems in industrial settings, are on the rise with common and unsophisticated methods being employed to compromise them. 

On Tuesday, FireEye’s Mandiant cyberforensics team released a report exploring attack rates on control processes, particularly those supported by operational technology (OT). While control process attacks may have once been viewed as complex due to access requirements, the need for malware designed to compromise proprietary industrial technologies, or the task itself of disrupting a control process to create a predictable effect, vulnerable, internet-facing OT endpoints are now offering a wider attack surface. Mandiant’s Keith Lunden, Daniel Kapellmann Zafra, and Nathan Brubaker said that there is an increasing frequency of “low sophistication” OT attack attempts and the firm has observed hackers with “varying levels of skill and resources” using “common IT tools and techniques to gain access to and interact with exposed OT systems.” Solar energy panel networks, water control systems, and building automation systems (BAS) have been targeted, and while critical infrastructure entities are on the list, the same techniques are being used against academic and private residency internet-of-things (IoT) devices, too.  According to the team, the general trend against OT systems appears to be based on attackers trying to wrestle control of vast numbers of open endpoints for “ideological, egotistical, or financial objectives,” rather than a wish to cause severe damage — such as by taking control of a core infrastructure asset.  Over the past few years, the researchers have observed OT assets becoming compromised through a variety of methods, including remote access services and virtual network computing (VNC). 

However, the “low-hanging fruit” many attackers are going for are graphical user interfaces (GUI) — including human machine interfaces (HMI) — which are, by design, intended to be simple user interfaces for controlling complex industrial processes. As a result, threat actors are able to “modify control variables without prior knowledge of a process,” Mandiant says.  Another trend of note is hacktivism, propelled by widely available and free tutorials online. Recently, the researchers have seen hacktivist groups bragging in anti-Israel/pro-Palestine social media posts that they have compromised Israeli OT assets in the renewable and mining sectors.  Other low-skilled threat actors appear to be focused on notoriety, however, with little knowledge of what they are targeting.  In two separate cases, threat actors bragged about hijacking a German rail control system — only for it to be a command station for model train sets — and in another, a group claimed they had broken into an Israeli “gas” system, but it was nothing more than a kitchen ventilation system in a restaurant.  Despite these gaffes, however, successful attacks against critical OT assets can have serious ramifications. After all, we only need to consider the panic-buying and fuel shortages across the US caused by the ransomware outbreak at Colonial Pipeline as an example.  “As the number of intrusions increase, so does the risk of process disruption,” Mandiant says. “The publicity of these incidents normalizes cyber operations against OT and may encourage other threat actors to increasingly target or impact these systems. This is consistent with the increase in OT activity by more resourced financially-motivated groups and ransomware operators.” The researchers recommend that whenever it is possible, OT assets should be removed from public, online networks. Network hardening, security audits including device discovery should be conducted on a frequent basis, and HMIs, alongside other assets, should be configured to prevent potentially hazardous variable states.  The risk of OT compromise has not gone unnoticed by federal agencies. In July, the US National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert warning of attacks against critical infrastructure through vulnerable OT.   The agencies said legacy OT devices, internet connectivity, and modern attack methods have created a “perfect storm.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The severe disruption caused by the Colonial Pipeline ransomware attack has alerted organisations to the need to bolster their defences against cyberattacks – and two-thirds are set to take actions required to prevent them becoming another ransomware victim following the incident.The ransomware attack against Colonial Pipeline – one of the largest pipeline operators in the United States, providing almost half of the East Coast’s fuel – caused disruption to operations and led to gas shortages, demonstrating how cyberattacks can have physical consequences.

ZDNet Recommends

Colonial paid almost $5 million for the key required to unlocked the encrypted systems.SEE: Network security policy (TechRepublic Premium)The significant disruption caused by the attack and the high cost of the ransom payment appears to have been a wake-up call for organisations – a new report by IT association ISACA suggests that just over two-thirds (67%) of IT professionals expect their organisations to take new precautions in light of the Colonial Pipeline attack. Ransomware has been a major cybersecurity threat for some time and shows no sign of slowing down: 84% of those surveyed by ISACA said they believe ransomware attacks will become more prevalent during the second half of 2021.”The growth of this attack type is relentless, and its targets are indiscriminate: large or small, public or private, any and all industry sectors,” said Chris Cooper, member of ISACA’s emerging trends working group.

“From the recent Colonial Pipeline attack to the Metropolitan DC Police Department and numerous small and medium enterprises, there has been a barrage of high-profile ransomware incidents around the globe in the past month alone,” he added.But despite the ransomware threat, 38% of respondents say their company has not conducted any ransomware training for their staff, something that could potentially lead to issues in the event of a ransomware attack – or even lead to a ransomware attack itself.SEE: Ransomware just got very real. And it’s likely to get worseTo help protect against ransomware attacks, ISACA has several recommendations for organisations to take.They include testing for incoming phishing attacks, in order to prevent malicious emails that could be the first step in a ransomware campaign from arriving in inboxes, preventing the email from becoming a risk to users and the wider company in the first place.Organisations should also apply security patches on a timely basis in order to prevent cyber criminals from exploiting known vulnerabilities as a means of compromising the network.MORE ON CYBERSECURITY More

The Agrius hacking group has shifted from using purely destructive wiper malware to a combination of wiper and ransomware functionality — and will pretend to hold data to ransom as a final stage in attacks. 

In an analysis of the threat group’s latest movements, SentinelOne researchers said on Tuesday that Agrius was first spotted in attacks against Israeli targets in 2020. The group uses a combination of its own custom toolsets and readily available offensive security software to deploy either a destructive wiper or a custom wiper-turned-ransomware variant.  However, unlike ransomware groups such as Maze and Conti, it doesn’t appear that Agrius is purely motivated by money — instead, the use of ransomware is a new addition and a bolt-on to attacks focused on cyberespionage and destruction.  Furthermore, in some attacks traced by SentinelOne when only a wiper was deployed, Agrius would pretend to have stolen and encrypted information to extort victims — but this information had already been destroyed by the wiper.  Agrius “intentionally masked their activity as a ransomware attack,” the researchers say, while actually engaging in destructive attacks against Israeli targets.  The researchers suspect the group is state-sponsored. 

During the first stages of an attack, Agrius will use virtual private network (VPN) software while accessing public-facing apps or services belonging to its intended victim before attempting an exploit, often through compromised accounts and software vulnerabilities.  For example, a vulnerability in FortiOS, tracked as CVE-2018-13379, has been widely used in exploit attempts against targets in Israel.  If successful, webshells are then deployed, public cybersecurity tools are used for credential harvesting and network movement, and malware payloads are then deployed.  Agrius’ toolkit includes Deadwood (also known as Detbosit), a destructive wiper malware strain. Deadwood was linked to attacks against Saudi Arabia during 2019, thought to be the work of APT33.  Both APT33 and APT34 have been connected to the use of wipers including Deadwood, Shamoon, and ZeroCleare.  During attacks, Agrius also drop a custom .NET backdoor called IPsec Helper for persistence and to create a connection with a command-and-control (C2) server. In addition, the group will drop a novel .NET wiper dubbed Apostle. IPsec Helper and Apostle appear to be the work of the same developer.  In a recent attack against a state-owned facility in the United Arab Emirates, Apostle appears to have been improved and modified to contain functional ransomware components. However, the team believes it is the destructive elements of ransomware — such as the ability to encrypt files — rather than the financial lure that Agrius is focusing on during development.  “We believe the implementation of the encryption functionality is there to mask its actual intention — destroying victim data,” the researchers say. “This thesis is supported by an early version of Apostle that the attacker’s internally named ‘wiper-action’. This early version was deployed in an attempt to wipe data, but failed to do so possibly due to a logic flaw in the malware. The flawed execution led to the deployment of the Deadwood wiper. This, of course, did not prevent the attackers from asking for a ransom.” SentinelOne says that no “solid” connections to other, established threat groups have been made, but due to Agrius’ interests in Iranian issues, the deployment of web shells with ties to Iranian-built variants, and the use of wipers in the first place — an attack technique linked to Iranian APTs as far back as 2002 — indicate the group is likely to be of Iranian origin. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An investigation into the Hydra marketplace has revealed surging transaction volumes and a thriving — albeit illicit — cryptocurrency ecosystem.  On Tuesday, Flashpoint and Chainalysis jointly released a report into Hydra, a marketplace in the dark web.  At its inception in 2015, Hydra was well-known for the sale of narcotics, but as time has gone on, the market has expanded to include stolen credit card data, counterfeit documents including IDs, fake banknotes, and cyberattack services, among other offerings.  Annual transaction volumes have climbed year-over-year, going from an estimated $9.4 million in 2016 to at least $1.37 billion in 2020.  Cryptocurrency is often used by cybercriminals in underground marketplaces to maintain a degree of anonymity and purchase goods and launder proceeds, such as funds obtained through theft, illegal goods sales, or ransomware payouts. However, the underlying blockchain technology, as analyzed by the researchers, can still reveal something about transaction rates. The team says that in its three most recent years, Hydra has grown by roughly 624% year-over-year, making it potentially one of the more popular criminal marketplaces at present.  The market, which only serves Russian speakers, has managed to avoid more than a short period of downtime or seizure by law enforcement — at least, for now. 

Hydra keeps its users in line and has stringent seller requirements, which could be an important aspect of the marketplace’s illicit success. Since at least July 2018, Hydra operators have demanded that at least 50 successful sales are made before withdrawals are allowed, and an eWallet account containing at least $10,000 has to be maintained.  When it comes to the cryptocurrency exchanges handling transactions to and from Hydra, Chainalysis deems many “high-risk” as they do not enforce Know Your Customer (KYC) regulations. Most are located in Russia, and overall, only a small percentage of transactions are funneled through cryptocurrency platforms generally associated with legitimate trading.  Over 1,000 unique deposit addresses and transactions upwards of $7 million, thought to be linked to Hydra, have been recorded.  Withdrawals, too, are set through payment services and exchanges “exclusively or primarily based in Russia and [in] Russian-friendly Eastern European countries,” according to the report. Hydra requires sellers to convert their profits into fiat, Russian currency. 

Despite the iron fist imposed on sellers, Hydra accounts are still highly sought after. The researchers say a new sub-market has sprung up in recent times to obtain access to established seller accounts, as well as users attempting to skirt around Hydra’s fiat currency withdrawal requirements — just for a cut of the profit. Stores are being sold for up to $10,000.  Law enforcement agencies have seized and closed down dark web marketplaces ranging from Silk Road to DarkMarket. However, at least for now, Hydra continues to facilitate the sale of illegal goods and services.  In January, Europol took down DarkMarket, a platform facilitating traders between roughly half a million users. An Australian citizen, suspected of being the website’s operator, has since been arrested.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A drug dealer’s enjoyment of Blue Stilton cheese led to his capture and a sentence of over 13 years in prison.  Carl Stewart, a Liverpool resident, was identified after he shared an image of cheese purchased at a UK supermarket.  The 39-year-old shared his delight in the purchase over Encrochat, an encrypted messaging service, under the handle “Toffeeforce.” However, in his glee, he did not realize that the photo provided vital clues to the police — namely, fingerprints which were then analyzed by investigators. 
Merseyside Police
Merseyside police say that Stewart was a drug dealer who used to supply “large amounts” of class A and B drugs. 

Stewart was identified and arrested. He pleaded guilty to conspiracy to supply cocaine, heroin, MDMA, and ketamine, as well as the charge of transferring criminal property. The former drug dealer was sentenced at Liverpool Crown Court on May 21 to 13 years and six months in prison.  “Carl Stewart was involved in supplying large amounts of class A and B drugs, but was caught out by his love of Stilton cheese, after sharing a picture of a block of it in his hand through Encrochat,” commented Detective Inspector Lee Wilkinson. “His palm and fingerprints were analyzed from this picture and it was established they belonged to Stewart.”

Stewart is the latest to be prosecuted following “Operation Venetic,” an investigation into the use of Encrochat by criminal groups to avoid being identified.  Encrochat, closed down by the police in July last year when its servers were seized, provided encrypted, instant messaging and mobile phones based on a subscription and custom operating system.  Agencies have been working since 2016 to close the operation down, and after partners in France and the Netherlands infiltrated the platform, data shared across the network was monitored for months and has since been handed over to Europol and international law enforcement. The UK’s National Crime Agency (NCA) says that roughly 60,000 users have been identified worldwide and approximately 10,000 of them are based in the country.  Merseyside police claim that “all” of these users are involved in “coordinating and planning the supply and distribution of drugs and weapons, money laundering and other criminal activity.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Does it feel like you’ve been updating your iPhone continuously for weeks now? That’s because you have! And now iOS 14.5 has given way to iOS 14.6, so it’s time to go through the whole process again.iOS 14.6 brings a number of new features:The ability to share Apple Card with up to five people (13 years and up), with features added to track expenses, manage spending with optional limits and controls. Each person also builds a credit history.For podcasts, there’s now subscription options for channels and individual shows.On the AirTag and Find My front, Apple has added an option to Lost mode to add an email address instead of a phone number for AirTag and Find My network accessories. Another updates that now AirTag will show a partially masked phone number when tapped with an NFC-capable device.A new feature added to accessibility allows Voice Control users to unlock their iPhone for the first time after a restart using only their voice.There is also a raft of se fixes:Unlock with Apple Watch may not work after using Lock iPhone on Apple WatchReminders may appear as blank linesCall blocking extensions may not appear in SettingsBluetooth devices could sometimes disconnect or send audio to a different device during an active calliPhone may experience reduced performance during startup

That last one is interesting, and may be the reason behind the poor benchmark performance for some handsets running iOS 14.5.1.There are also over 30 security fixes contained in this update, and while none seem to be being actively used by attackers, this update isn’t something that you should put off installing for too long.Grab those updates by going to Settings > General > Software Update.Also out is iPadOS 14.6, watchOS 7.5, tvOS 14.6, macOS Big Sur 11.4, Safari 14.1.1, as well as security updates for macOS Mojave and Cataline.Better get busy updating!

Apple Event More

Image: APH
The head of the Australian Security Intelligence Organisation (ASIO), Mike Burgess, has lashed out at tech giants for running interference and handing a free pass to Australia’s adversaries and “some of the worst people in our society”. “Through the use of encryption social media and tech companies are, in effect, creating a maintaining a safe space for terrorists and spies,” Burgess told Senate Estimates on Tuesday. “It’s extraordinary how corporations that suck up and sell vast amounts of personal data without a warrant or meaningful oversight can cite a right to privacy to impede a counterterrorism investigation by an agency operating with a warrant or rigorous oversight.” Unlike his counterparts at the Australian Criminal Intelligence Commission, Burgess did not go so far as to rule out all legitimate reasons for using encryption. “Encryption is a fundamental force for good as a society, we need to be able to shop, bank, and communicate online with confidence. But even a force for good can be hijacked exploited and abused,” the director-general said. “In the case of encryption, we need to recognise how it is being used by terrorist and spies. End to end encryption is degrading our ability to protect Australia and Australians from threats, from the greatest threats.” In the recent federal Budget, ASIO walked away with a 10-year, AU$1.3 billion funding boost.

Burgess said the cash would go towards “connecting the dots” via data analytics, machine learning, and artificial intelligence across a number of areas including language recognition, voice to text, language translation, image recognition, and sentiment monitoring. “Most important need for my people is to have the technologies support them in the job they do, so this will continue to be human-led, data-driven, technology-enabled,” he said. Earlier in the day, the Australian Federal Police (AFP) faced questioning on ACT Policing accessing metadata unlawfully on 1,704 occasions. Deputy commissioner Ian McCartney said the incidents were reported by the AFP, and it has started to rectify the process issues in the past couple of years. “We’ve agreed with all of the recommendations and we’re working with the Ombudsman in terms of implementation those recommendations, and we’ll report regularly back to the Ombudsman in relation to that issue,” McCartney said. The deputy commissioner then offered a lack of officer education and complex legislation as playing into the situation. “I think it’s fair to say our young investigators in the AFP, the complexity of legislation they face, and that the government’s apparatus around that is quite large, so there is an onus on the organisation which we take very seriously, to provide that education back, particularly, to our young investigators,” he said. McCartney said the requests were location requests, and therefore, were unlikely to pervert the course of justice and confined to the ACT Policing arm of the organisation. Following the Ombudsman’s investigation, compliance for ACT Policing now sits within the AFP compliance area, as well as establishing an inspectorate within its professional standards command. “We will generate a lot of our own audits — that perhaps in the past we’ve relied a little bit on the Ombudsman to do some of these — we’re going to be front-running a lot of those matters to make sure that we’re compliant on all fronts,” AFP commissioner Reece Kershaw said. Related Coverage More