Information Technology

Image: ZDNet
The cybercrime group behind the FonixCrypter ransomware has announced today on Twitter that they’ve deleted the ransomware’s source code and plan to shut down their operation.
As a gesture of goodwill towards past victims, the FonixCrypter gang has also released a package containing a decryption tool, how-to instructions, and the ransomware’s master decryption key.
These files can be used by former infected users to decrypt and recover their files for free, without needing to pay for a decryption key.
Allan Liska, a security researcher for threat intelligence firm Recorded Future, has tested the decrypter at ZDNet’s request earlier today and verified that the FonixCrypter app, instructions, and master key work as advertised.
“The decryption key provided by the actors behind the Fonix ransomware appears to be legitimate, thought it requires each file to be decrypted individually,” Liska told ZDNet.
“The important thing is that they included the master key, which should enable someone to build a much better decryption tool,” he added.
A better decrypter is currently in the works at Emsisoft and is expected to be released next week, Michael Gillespie, an Emsisoft security researcher specialized in breaking ransomware encryption, has told ZDNet earlier today in an online chat. Users are advised to wait for the Emsisoft decrypter rather than use the one provided by the FonixCrypter gang, which may easily contain other malware, such as backdoors, that victims might end up installing on their systems.

The decryption utility released today by the FonixCrypter gang
Image: ZDNet

Prior to shutting down today, the FonixCrypter ransomware gang has been active since at least June 2020, according to Andrew Ivanov, a Russian security researcher who’s been tracking ransomware strains on his personal blog for the past four years.
Ivanov’s FonixCrypter blog entry shows a history of constant updates to the FonixCrypt code, with at least seven different FonixCrypt variants being released last year.
While the ransomware’s source code might not have been top-notch, the ransomware worked and was deployed in the wild last year, making victims all over the globe.
Currently, all signs point to the fact that the FonixCrypter gang is serious about their plans to shut down. Liska said the FonixCrypter gang had removed today its Telegram channel where they usually advertised the ransomware to other criminal groups, but the Recorded Future analyst also pointed out that the group also announced plans to open a new channel in the near future.
The FonixCrypter gang, however, did not specify if this new Telegram channel will focus on providing a new and improved ransomware strain. According to a message posted on Twitter, the group claims they plan to move away from ransomware and use their abilities in “positive ways.” Whatever that means.

Image: ZDNet More

ItsMyData
Google Chrome extension ItsMyData allows you to automatically opt-out of allowing online stores to sell your data

Instead of embracing consumer rights, many online stores make it difficult for users to opt-out by hiding the opt-out link and creating artificial obstacles. Now opting out can be easy with this new tool from ItsMyData.
The Google Chrome extension ItsMyData allows you to automatically opt-out of allowing online stores to sell your data.
The NJ-based startup’s goal is to protect consumers from the behavior of online retailers who collect and transact with their data to the detriment of consumers.
On Jan. 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. The Act contains provisions requiring e-commerce sites to enable users to opt-out from allowing the sale of their data. It also sets large fines and sanctions against retailers who fail to do so.
Every time you shop online you share a fair amount of details with the online retailer you are visiting. Through the use of data gathering and analytics, retailers have combined art and science to learn as much as they can about users’ preferences, patterns, and personal information.
However, while complying with consumer rights, many online stores hide the opt-out link and create artificial obstacles to prevent opting out.

They do the bare minimum to comply with requirements — claiming they are compliant — while making it almost impossible for the consumer to opt-out. Selling your data is a meaningful revenue stream generator for online retailers.
They use this information to better target consumers and encourage them to engage in behaviors that benefit those retailers.
Online retailers have become experts at identifying, collecting, storing, and selling personal information about their customers in ways that would make most customers shudder had they known.
Most customers have no idea how much information is being collected and stored, or even that they need to opt-out to ensure their private information is not handed directly to third parties using it for their advantage.
Protecting your privacy where user data has become a form of currency online is not easy and not available for everyone.
ItsMyData is not supported in every state. If your state has not yet adopted the CCPA requirements or a similar law, you will not be able to take advantage of the plugin.
However many states across the US have introduced a similar privacy bill that is progressing through committees or across chambers.
It is only a matter of time before this bill becomes law across the country and you will be able to opt-out from all the pesky online sites that annoy you so much. More

Image: Samy Kamkar
Google has blocked eight additional ports inside the Chrome web browser in order to prevent a new variation of an attack named NAT Slipstreaming, the company’s engineers announced today.

The original NAT Slipstreaming attack was first disclosed on October 31, 2020, by Samy Kamkar, a well-known security researcher.
The attack worked by luring users on a malicious website where JavaScript code would establish a connection to a victim’s device directly, bypassing defenses provided by firewalls and network address translation (NAT) tables.
The attacker could abuse this connection to the user’s system to launch attacks on devices located on a victim’s internal network.
The initial version of the NAT Slipstreaming attack abused the Session Initiation Protocol (SIP) protocol to establish these pinhole connections to devices on internal networks via ports 5060 and 5061.
Two weeks after the attack became public, Google responded to Kamkar’s discovery by blocking these two ports in Chrome 87 to prevent attackers from abusing this technique, which the browser maker deemed a severe threat and easy to abuse.
Apple and Mozilla also shipped similar blocks inside Safari and Firefox weeks later.
New NAT Slipstreaming attack variant discovered

But earlier this week, security researchers from IoT security firm announced that they worked with Kamkar to expand the original attack with a new version they named NAT Slipstreaming 2.0.
This new version replaces SIP and piggybacks on the H.323 multimedia protocol to open the same tunnels inside internal networks and bypass firewalls and NAT tables.
Armis researchers said the 2.0 variant of the NAT Slipstreaming attack was just as potent as the first and would have allowed the same class of internet-based attacks on devices normally accessible only from internal LANs.
Ports 69, 137, 161, 1719, 1720, 1723, 6566, 10080 to be blocked
Earlier today, Google said that it would block connections to port 1720, used by the H.323 protocol, but also seven other ports that they believe could also be abused in the same manner for other similar variations of the NAT Slipstreaming attack.
The other seven ports were 69, 137, 161, 1719, 1723, 6566, and 10080.
Any HTTP, HTTPS, or FTP connections via these ports will now fail, Google said today.
According to a Chrome feature status report, the block is already active for any user using a Chrome version of 87.0.4280.117 and later.
It appears updating the list of block ports was done server-side without needing to deliver a separate Chrome update to end-users.
Firefox and Microsoft’s Edge browsers have also deployed a fix for the NAT Slipstreaming 2.0 attack as well. The Firefox patch was delivered in Firefox 85 earlier this week as CVE-2021-23961, while the Edge fix shipped as a fix for CVE-2020-16043. More

Image source: Graphika; Edited: ZDNet
Social media research group Graphika has published a report today exposing a small network of 14 Twitter accounts that engaged in a coordinated campaign to criticize the Belgian government’s plan to ban Huawei from supplying 5G equipment to local telecommunications providers.
The accounts used fake names and posed as Belgium-based tech and 5G experts. They also used profile images generated using machine learning GAN algorithms, a technique that is gaining traction with more and more social media influence networks.
In a 33-page report [PDF] published today, Graphika researchers said the accounts spent their time retweeting content from popular accounts and mixing it with their own tweets that attacked the Belgian government’s decision to ban “high-risk” providers from its national 5G network, along with tweets that praised Huawei as a reliable investor and partner.
These tweets would often link to articles sponsored by Huawei itself, articles from news agencies registered at non-existing addresses, or articles with the same text and headline but hosted across multiple newly-registered news sites and blogs.
Some of the most common sources were domains like london-globe.com, newyorkglobe.co, toplinenews.eu, and eureporter.co.

Image: Graphika
Graphika researchers said that while past Twitter botnets worked in an automated fashion, this smaller network appeared to have been manually operated, with all tweets being hand-written for each of the 14 accounts.
But despite the small number of accounts that were part of this botnet, tweets were often amplified by other accounts, including what appeared to be a second network of Twitter bots.

“These were created in batches and featured a “house style” of pictures of mainly Western women, and handles that consisted of seven letters followed by eight numbers,” Graphica researchers said.
This campaign targeting the Belgian government did not go unnoticed and several Belgian tech and government workers also spotting it on their own last month.

So here’s the thread on Huawei I promised yesterday. It seems Huawei is using social media black ops tactics to try to convince policy-makers in Belgium that it can be trusted to build 5G networks. 🤨 pic.twitter.com/noZKM13RuD
— Michiel van Hulten (@mvanhulten) December 22, 2020

All in all, Graphika did not specifically conclude that any of the 14 accounts were controlled by Huawei or a related entity, leaving this question unanswered.
Nonetheless, Graphika noted that some Huawei employees in Western Europe had often retweeted some of this bot network’s content.
All 14 Twitter accounts have now been suspended. More

Trickbot malware is back with a new campaign – just a few months after its operations were disrupted by a coalition of cybersecurity and technology companies.
Initially starting life as a banking trojan, Trickbot evolved to become a highly popular form of malware among cyber criminals, particularly because its modular nature allowed for it to be used many different kinds of attacks.
These include the theft of login credentials and the ability to propagate itself around the network spreading the infection further.
Trickbot even became a loader for other forms of malware, with cyber criminals taking advantage of machines already compromised by Trickbot as a means of delivering other malicious payloads, including ransomware.
In October last year, a takedown led by Microsoft disrupted the infrastructure behind the Trickbot malware botnet, but now it appears to be coming back to life as researchers at Menlo Security have identified an ongoing malware campaign which has the hallmarks of previous Trickbot activity.
These attacks appear to be exclusively targeting legal and insurance companies in North America, with phishing emails encouraging potential victims to click on a link which will redirect them to a server which downloads a malicious payload.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Many of these emails are claiming that the user has been involved in a traffic infringement and points them towards a download of the ‘proof’ of their misdemeanor – a social engineering trick which can catch people off guard and panic them into downloading. In this case the download is a zip archive which contains a malicious Javascript file – a typical technique deployed by Trickbot campaigns – which connects to a server to download the final malware payload.
Analysis of this payload indicates that it connects to domains which are known to distribute Trickbot malware, indicating that it’s once again active and could pose a threat to enterprise networks.
“Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot’s operations,” said Vinay Pidathala, director of security research at Menlo Security
“While Microsoft and it’s partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment,” he added.
An advisory on Trickbot by the UK’s National Cyber Security Centre (NCSC) recommends that organisations use the latest supported versions of operating systems and software and to apply security patches in order to stop Trickbot other malware exploiting known vulnerabilities to spread.
It’s also recommended that organisations apply two-factor authentication cross the network so that in the event of one machine being compromised by malware, it’s much harder for it to spread.
MORE ON CYBERSECURITY More

Telegram has developed a feature that lets users bring across their old WhatsApp messages.
Image: Getty Images/iStockphoto
Telegram has launched a new feature to help people move their chat history from other apps including WhatsApp.
Telegram was one of the major beneficiaries of the public backlash against Facebook in January updating WhatsApp’s privacy policy, which would allow it to share more information with businesses. 

Innovation

Telegram claimed to have gained 25 million new users after initial reports about the new policy, pushing its user numbers beyond 500 million. 
SEE: Network security policy (TechRepublic Premium)
Security experts generally recommend Signal as the most secure chat app, which also gained a lot of users who were fleeing from WhatsApp. Other secure chat app options include Threema and Wickr, which offer end-to-end encryption by default. The developers of these apps have also released source code for third-party audits, whereas Telegram has not.   
According to Telegram, it gained 100 million new users in January and it’s now developed a feature that lets users bring across their old WhatsApp messages to Telegram. The chat migration feature also works for chat histories in Line and KakaoTalk. The migration feature works for individual and group chats.
The feature takes advantage of WhatsApp’s already available export chat option.    

“To move a chat from WhatsApp on iOS, open the Contact Info or Group Info page in WhatsApp, tap Export Chat, then choose Telegram in the Share menu,” Telegram explained. 
WhatsApp on iOS also lets users export chats directly from the chat list by swiping left on a chat, then choosing Export Chat.
In addition, Telegram announced a new feature that lets users report fake channels and groups that pose as famous people and organizations. Telegram says its moderators will investigate reports when users open a suspect profile page and tap Report > Fake Account. 
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
WhatsApp in mid-January decided to delay its privacy policy update due to confusion about what the update meant. It moved the deadline for accepting its new terms from February 8 to May 15. 
“We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8,” WhatsApp said.  
“We’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15.” More

Sophisticated attacks could put more tech suppliers at risk.
Image: Getty Images/iStockphoto
If you were hoping the SolarWinds hack was going to be a one-off, you’re out of luck. Expect more sophisticated and complicated attacks of the same type to come along sooner or later.
The SolarWinds hack – a supply chain attack that saw (most likely Russian state-backed) hackers use SolarWinds’ enterprise IT-monitoring software to deploy malware – hit a number of big-name US tech vendors. 

More on privacy

These include Microsoft, FireEye (which owns Mandiant), Mimecast, Palo Alto Networks, Qualys, Malwarebytes, and Fidelis. What really set this attack apart was that many of the targets were not just government agencies or businesses, but the security companies themselves.
SEE: Network security policy (TechRepublic Premium)
“What SolarWinds has taught us is that this landscape is more complex and more sophisticated. Is this a different attack? It is a really sophisticated attack,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity told ZDNet in an interview. 
“These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm. This is why what we do is more important than ever,” she said.
“I believe that SolarWinds is a moment of reckoning in the industry. This is not going to change and we have to do better as a defender community and we have to be unified in our responses. We have been out there, leading in this response.” 

Jakkal takes a similar line to Microsoft president Brad Smith. “While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy,” said Smith in the wake of Microsoft’s disclosure about the attacks. 
“This is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” he said.
“It’s an unprecedented time. Full stop,” says Jakkal. “Cybersecurity vendors getting hacked – that is a moment of reckoning.” 
Microsoft is also looking at security as a key area of growth. Microsoft CEO Satya Nadella announced at this week’s second-quarter earnings report that commercial cloud sales were through the roof and that Microsoft’s overall security business was now worth $10 billion a year in revenues.  
To put that in context, Microsoft’s cybersecurity business is worth about 14% of the $66.8 billion annual revenue run rate that the entire Microsoft cloud business is expected to make this year.
Microsoft’s security portfolio is vast. There’s Microsoft Defender for Mac, Windows and Linux endpoints, Defender for email and Defender for Office 365. Microsoft calls this business XDR or the extended detection and response portfolio, which has been bolstered by its security information and event-management (SIEM) platform, called Sentinel. 
SEE: How do we stop cyber weapons from getting out of control?
Jakkal is still upbeat about the prospects of the US cybersecurity and broader software industry rising to the threat demonstrated by the SolarWinds hack. She argues that by going after so many tech security providers, the hackers have shown that the industry needs to act as one.
“And we have come together. I’m really impressed to see how the cybersecurity industry – FireEye, Microsoft – how we can get together across private and public sectors to discuss how we can share more information between organizations.
“These are things we are considering. This is why it is a moment of reckoning, a moment of pause,” says Jakkal.  More

Electronic health records (EHR) provider Athena has agreed to pay $18.25 million to settle claims the company was involved in an illegal kickback scheme. 

Athenahealth Inc., an EHR vendor based in Watertown, Massachusetts, was accused of conducting kickback deals in order to promote the sale of athenaClinicals by whistleblowers.
AthenaClinicals a web-based EHR portal for accessing medical documentation, patient records, and exchanging data between care sites. The software is touted as a means for healthcare professionals to “focus on delivering care.”
On Thursday, the US Department of Justice (DoJ) said that Athena’s settlement will lay accusations of violating the False Claims Act and the Anti-Kickback Statute (AKS) to rest. 
US prosecutors allege that between 2014 through September 2020, Athena provided kickbacks to healthcare providers and other EHR vendors to induce them into purchasing AthenaClinicals software. 
According to the complaint, three marketing programs were used to allegedly facilitate the scheme. Prospective and existing clients were invited to complimentary, all-expenses-paid “Concierge Events” providing entertainment — including entry to the Masters Tournament and NFL games — and a “Lead Generation” program paid clients up to $3,000 for each new physician signed up “regardless of how much time, if any, the existing customer spent speaking to or meeting with the new client,” the DoJ said.
In addition, Athena allegedly entered into deals with competing vendors that were planning to exit the EHR industry and paid them for referrals that converted into new clients. 

“By offering and paying this illegal remuneration in cash and in kind, Athena submitted and caused its EHR clients to submit to federal health care programs false or fraudulent claims that resulted from violations of the AKS,” the US agency says. 
The lawsuit, together with a separate claim, were both filed under the whistleblower provisions of the False Claims Act in 2017 and later consolidated. These provisions allow citizens to sue on behalf of the US government. 
The individuals that flagged Athena’s reported kickback scheme may be entitled to compensation from the government, but figures are yet to be determined. 
In total, $9.12 million out of the $18.25 million settlement has been staked as “restitution” for the United States.
“This resolution demonstrates the department’s continued commitment to hold EHR companies accountable for the payment of unlawful kickbacks in any form,” commented Acting Assistant Attorney General Brian Boynton for the DOJ’s Civil Division. “EHR technology plays an important role in the provision of medical care, and it is critical that the selection of an EHR platform be made without the influence of improper financial inducements.”
ZDNet has reached out to Athena for comment and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More