Information Technology

Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company’s detriment: ghost accounts. 

It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks. 
This oversight is one that cybercriminals are now taking advantage of, and in a recent case, actively exploited in order to spread ransomware. 
In a case study documented by Sophos’ cyberforensics group Rapid Response on Tuesday, an organization reached out after being infected by Nemty ransomware. 
According to Sophos, the ransomware — also known as Nefilim — impacted over 100 systems, encrypting valuable files and demanding payment in return for a decryption key. 
First detected in 2019, Nemty was a Ransomware-as-a-Service (RaaS) variant of malware that could be purchased in underground forums. In 2020, the developers took Nemty private, reserving the code’s future development for select partners. 
During an investigation into the source of the infection, Sophos narrowed down the original network intrusion to a high-level administrator account. Over the course of a month, the threat actors quietly explored the company’s resources, obtaining domain admin account credentials and exfiltrating hundreds of gigabytes’ worth of data. 

Once the cyberattackers had finished their reconnaissance and taken everything of value, Nemty was deployed.
“Ransomware is the final payload in a longer attack,” noted Peter Mackenzie, Rapid Response manager. “It is the attacker telling you they already have control of your network and have finished the bulk of the attack. Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”
The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyberintrusion. 
Instead of revoking access and closing down the ‘ghost’ account, the firm chose to keep it active and open “because there were services that it was used for.”
Sophos suggests that any ghost account allowed to stay connected to corporate resources once the user has no need of it should have interactive logins disabled, or if the account is really needed, a service account should be created in its stead. 
In addition, the team says that zero-trust measures should be implemented companywide to reduce potential attack surfaces.
In another case noted by Sophos, a new user account was covertly created on a corporate network and added to a domain admin group in Active Directory, and this account was used to delete roughly 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, piling on the pressure for payment. 
Update 16.03 GMT: Added detail for additional clarity concerning the two case studies.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Veritas Technologies and Fortinet are rolling out new efforts to better secure and backup multi-cloud deployments and automate threat detection, investigation, and response, respectively. 

Veritas Technologies is launching Veritas NetBackup 9, which is designed to secure edge, data center, and cloud deployments.
The company said NetBackup 9 includes Flex Scale, a scale-out deployment option that plays well with multi-cloud deployments. The architecture behind NetBackup 9 brings a cloud experience to on-premise data centers and the ability to add nodes as needed.
Also: Best VPNs • Best security keys • Best antivirus       
Veritas is also adding new deployment modes to NetBackup including options for cloud, appliances, and build-your-own-server, containerize options, and a hyper-converged offering.
NetBackup 9 new features include:
Policy automation to manage deployment, provisioning, scaling, load balancing, recovery, and cloud integration.
Auto-discovery of workloads as well more integrations via API.
OpenStack-based enterprise data protection via native OpenStack APIs.
Doug Matthews, vice president of Enterprise Data Protection and Compliance at Veritas Technologies, said that less than 10% of the customer base overall is using OpenStack technologies, but the company’s largest customers are. “Multicloud is more ubiquitous in the enterprise, specifically large enterprises,” said Matthews.  

Fortinet rolled out a new extended detection and response (XDR) offering that aims to use artificial intelligence to improve cyber attack responses. FortiXDR is cloud-native and expands on Fortinet’s security fabric, services, and automation tools.
Must read:
According to Fortinet, FortiXDR is designed to cut through the security data clutter. The argument is that security teams are struggling with multiple vendors and information overflow. FortiXDR’s AI engine is continually trained and informed by FortiGuard Labs research.
Features of FortiXDR include:
Contextual responses and filtering reduce the number of alerts across products by 77% on average.
Automation for complex tasks to save time and minimize human error.
Automation of incident investigation. More

Group of hooded hackers shining through a digital north korean flag cybersecurity concept
Michael Borgers, Getty Images/iStockphoto
Google said today that a North Korean government hacking group has targeted members of the cyber-security community engaging in vulnerability research.

The attacks have been spotted by the Google Threat Analysis Group (TAG), a Google security team specialized in hunting advanced persistent threat (APT) groups.
In a report published earlier today, Google said North Korean hackers used multiple profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, to reach out to security researchers using fake personas.
Email was also used in some instances, Google said.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” said Adam Weidemann, a security researcher with Google TAG.
The Visual Studio project contained malicious code that installed malware on the targeted researcher’s operating system. The malware acted as a backdoor, contacting a remote command and control server and waiting for commands.
New mysterious browser attack also discovered
But Wiedemann said that the attackers didn’t always distribute malicious files to their targets. In some other cases, they asked security researchers to visit a blog they had hosted at blog[.]br0vvnn[.]io (do not access).

Google said the blog hosted malicious code that infected the security researcher’s computer after accessing the site.
“A malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Weidemann said.
But Google TAG also added that many victims who accessed the site were also running “fully patched and up-to-date Windows 10 and Chrome browser versions” and still got infected.
Details about the browser-based attacks are still scant, but some security researchers believe the North Korean group most likely used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy their malicious code.
As a result, the Google TAG team is currently asking the cyber-security community to share more details about the attacks, if any security researchers believe they were infected.
The Google TAG report includes a list of links for the fake social media profiles that the North Korean actor used to lure and trick members of the infosec community.
Security researchers are advised to review their browsing histories and see if they interacted with any of these profiles or if they accessed the malicious blog.br0vvnn.io domain.

Image: Google
In case they did, they are most likely to have been infected, and certain steps need to be taken to investigate their own systems.
The reason for targeting security researchers is pretty obvious as it could allow the North Korean group to steal exploits for vulnerabilities discovered by the infected researchers, vulnerabilities that the threat group could deploy in its own attacks with little to no development costs.
In the meantime, several security researchers have already disclosed on social media that they received messages from the attackers’ accounts, although, none have admitted to having systems compromised.

WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne
— Richard Johnson (@richinseattle) January 26, 2021 More

Image via RTL Nieuws
Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.

The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr.
The ads consisted of photos of computer screens listing data of one or more Dutch citizens.
The reporter said he tracked down the screengrabs to two IT systems used by the Dutch Municipal Health Service (GGD) — namely CoronIT, which contains details about Dutch citizens who took a COVID-19 test, and HPzone Light, one of the DDG’s contact-tracing systems.
Verlaan said the data had been sold online for months for prices ranging from €30 to €50 per person.
Buyers would receive details such as home addresses, emails, telephone numbers, dates of birth, and a person’s BSN identifier (Dutch social security number).
Two men arrested in Amsterdam within a day
In a press release today, Dutch police said they started an investigation last week when they learned of the ads and arrested two suspects within 24 hours of the complaint.

Both men were arrested in Amsterdam on Friday, and were identified as a 21-year-old man from the city of Heiloo and a 23-year-old man from the city of Alblasserdam. Their homes were also searched, and their computers seized, police said.
According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases.
The names of the two suspects, scheduled to appear in court tomorrow, were not released; in accordance with Dutch law.
“Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home,” Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure, told ZDNet in an interview today.
“We have seen this before in the Netherlands with influencers and VIPs.
“The BSN number (Dutch social security number) is important because this makes financial fraud easier for criminals,” Gevers added.
“But also for blackmailing purposes. Especially when they know where you live.”

Coronavirus More

So cute. So nosy.
They don’t have a gun. They just have personality.

more Technically Incorrect

They roll around shopping malls and parking lots, like futuristic Blarts, offering you a sense of modern reassurance.
Originally, Knightscope’s robot cops were the source of neighborhood humor. They’d fall in fountains and then proclaim they weren’t dead.
Yet we should have worried, perhaps, that these were Trojan ponies, ready to trot into our lives and recount our movements to the powers-that-be.
I’ve been shivering, you see, after reading of the Electronic Frontier Foundation’s concerns.
Sample: “The next time you’re at a protest and are relieved to see a robot rather than a baton-wielding officer, know that that robot may be using the IP address of your phone to identify your participation,” says the EFF.
I tend not to be seen at protests, other than in this column, but I can imagine one or two enthusiastic marchers will mutter: “What the EFF?”

The EFF says that the Huntingdon Park, Calif., police has been boasting to its mayor and city council that the wireless technology in these robots’ bowels is “capable of identifying smartphones within its range down to the MAC and IP addresses.”
The company has a section on its site touting “Cellular Device Detection of Persons of Interest.”
It reads, in part: “When a device emitting a Wi-Fi signal passes within a nearly 500ft radius of a robot, actionable intelligence is captured from that device including information such as: Where, when, distance between the robot and device, the duration the device was in the area, and how many other times it was detected on site recently.”
One shouldn’t be surprised, of course. A couple of years ago, Knightscope boasted that some of its robots had facial recognition capabilities.
The company then explained: “While facial recognition is largely seen as a tool to protect against known threats, it is also capable of greeting VIPs with a personal message and notifying our clients of VIP arrivals on site.”
I fear facial recognition is largely seen as a surveillance tool employed by too many governments for quite nasty reasons, too often against innocent people. It can be seen as frighteningly inaccurate, too.
The EFF worries that the efficacy of these robots is all in the programming. It’s already accepted that facial recognition and AI have a troubling racial bias. “If robots are designed to think people wearing hoods are suspicious, they may target youth of color,” says the EFF’s policy analyst Matthew Guariglia.
I twice asked Knightscope if it recognized an issue with any potential privacy concerns and will update, should its PR — or AI — respond.
I regularly get updates from Knightscope, as the company markets its latest achievements.
“New contracts in new places,” shouted one from last year. A water district, a storage facility, and an apartment complex in Las Vegas have all signed up.
Perhaps you’ll find such moves understandable, if not pacifying, as hiring good security humans isn’t always easy.

Remote work

Then there was the announcement that Knightscope is the sole provider of Autonomous Security Robots on the NCPA platform. That would be the National Cooperative Purchasing Alliance. It’s a government thing.
Hark at Knightscope’s enthusiasm: “Contracts are available for use to over 90,000 agencies nationwide in both the public and nonprofit sectors including: K-12, Higher Education, City, County, State, Healthcare, Church/Religious and all Non-profit organizations.”
A security robot at your kid’s school? A security robot that could instantly know — and, let’s dream a little of the future — and transmit who your kid is and what they’re doing? A security robot at your church — let’s dream a little more of a bright future — that might (accidentally) overhear your confessions?
Those are, of course, merely my happy hopes but this was always going to be a fraught enterprise.
Why, last week I received the latest of Knightscope’s promotional emails. This one boasted: “Suffice it to say that 2020 will go down as one of the most challenging years for generations to come. And in spite of the pandemic and political turmoil, Knightscope has continued to fight tooth and nail for the safety of our country.”
All hail, the friendly robot militia.
Which only made me remember another excited message Knightscope sent me just before Christmas. This one pointed to a fine article, headlined: “Will Robotics Specialist Knightscope be the Next Palantir?
A sample Bloomberg headline: “Palantir Knows Everything About You.” More

A data breach at the BuyUcoin cryptocurrency exchange has reportedly led to user information becoming leaked underground.

Names, email addresses, phone numbers, cryptocurrency transaction records, and bank details of users may have been compromised, according to Inc42. The publication estimates that up to 325,000 users are impacted, whereas Bleeping Computer suggests a figure closer to 161,000. 
The alleged data leak, flagged by researcher Rajshekhar Rajaharia, was posted on a hacking forum and is thought to be the work of ShinyHunters, previously linked to the sale of stolen company databases. 
In total, the alleged data dump comprises of three separate archives, with the associated dates of June 1, July 14, and September 5, 2020.
The Indian cryptocurrency exchange has denied the existence of a data breach, classifying reports as a “rumor.”
In a statement updated on January 21, BuyUcoin said the organization is “thoroughly investigating each and every aspect” of the report. The Indian cryptocurrency exchange added that “all our user’s portfolio assets are safe and sound within a secure environment” and “95% of user funds are kept in cold storage.”
BuyUcoin did not confirm or deny that a leak had taken place, but did say that there is a planned “overhaul” of cybersecurity processes throughout 2021.

However, the organization’s original statement, since removed from BuyUcoin’s main blog, said that a “low impact security incident” occurred last year in which “non-sensitive, dummy data” was leaked. 
The cryptocurrency exchange said that during a “routine testing exercise” with the data, 200 entries were impacted. Furthermore, BuyUcoin claims that “not even a single customer was affected during the incident.”
“BuyUcoin rejects alleged information in some media reports that the data of 3.5 lakh customers was compromised,” the firm said. “We would like to reiterate the fact that only dummy data of 200 entries were impacted which was immediately recovered and secured by our automated security systems.”
However, this appears to contradict Rajaharia, who claims that as a user himself, his information was involved in the leak. The research has called BuyUcoin’s response “irresponsible,” as even if funds are safe, unaware users may still be susceptible to phishing and social engineering scams based on the alleged leak. 
Last week, Russian cryptocurrency exchange Livecoin closed its doors following an alleged cyberattack. The organization said that its infrastructure and backend systems were compromised, leading to exchange rates being tampered with and the alleged cybercriminals made off with substantial profits, leading to financial damage that cannot be recovered from.
ZDNet has reached out to BuyUcoin and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Zscaler
Chances are that if you deploy a Linux server online these days and you leave even the tiniest weakness exposed, a cybercrime group will ensnare it as part of its botnet.

The latest of these threats is named DreamBus.
Analyzed in a report published last week by security firm Zscaler, the company said this new threat is a variant of an older botnet named SystemdMiner, first seen in early 2019.
But current DreamBus versions have received several improvements compared to initial SystemdMiner sightings [1, 2, 3].
Currently, the botnet targets enterprise-level apps that run on Linux systems. Targets include a wide collection of apps, such as PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service.
Some of these apps are targeted with brute-force attacks against their default administrator usernames, others with malicious commands sent to exposed API endpoints, or via exploits for older vulnerabilities.
The idea is to give the DreamBus gang a foothold on a Linux server where they could later download and install an open-source app that mines the Monero (XMR) cryptocurrency to generate profits for the attackers.

Furthermore, each of the infected servers is also used as a bot in the DreamBus operation to launch further brute-force attacks against other possible targets.
Zscaler also said that DreamBus employed quite a few measures to prevent easy detection. One of them was that all systems infected with the malware communicated with the botnet’s command and control (C&C) server via the new DNS-over-HTTPS (DoH) protocol. DoH-capable malware is very rare, as it’s complex to set up.

[1/2]🆕 Network admins beware, #SystemdMiner is now using DNS over HTTPs to connect to its .onion C2.We uploaded IoCs to VT:Modified UPX – > d5b98358d261730a9a81b480bd94cbc8Unpacked – > 61d36807f333e9dd01737d74b2724ab9- > > pic.twitter.com/6wYrQ8a8dZ
— Intezer (@IntezerLabs) August 3, 2020

Furthermore, to prevent the C&C server from being taken down, the DreamBus gang hosted it on the Tor network; via a .onion address.
But despite all these protective measures, Zscaler’s Brett Stone-Gross believes we’re seeing yet another botnet birthed and operated out of Russia, or Eastern Europe.
“Updates and new commands are issued that typically start around 6:00 a.m. UTC or 9:00 a.m. Moscow Standard Time (MSK) and end approximately at 3:00 p.m. UTC or 6:00 p.m. MSK,” the researcher said.
But Stone-Gross also warned companies not to take this botnet lightly. Sure, the botnet delivers a cryptocurrency miner right now, but the Zscaler researcher believes operators could easily pivot to more dangerous payloads, such as ransomware, at any time they wanted. More

Tesla is suing a former member of staff for allegedly stealing confidential information and attempting to cover his tracks in the aftermath. 

The lawsuit, filed in the US Northern District of California Court, names Alex Khatilov as the alleged perpetrator, a Quality Assurance software engineer. 
According to Tesla’s complaint, only three days after being hired on December 28, 2020, Khatilov “brazenly stole” thousands of files from the automaker’s WARP Drive backend system, as reported by CNBC. 
The software engineer allegedly stole “scripts” of proprietary software code, related to areas including vehicle development and manufacturing, before transferring them to a personal Dropbox account. 
“Only a select few Tesla employees even have access to these files; and as a member of that group, Defendant took advantage of that access to downloaded files unrelated to his job,” the complaint reads. 
The complaint says that the apparent theft was detected on January 6, 2021. Tesla investigators then interviewed Khatilov, who allegedly said that only a “couple [of] personal administrative documents” had been transferred. 
“After being prompted, he gave Tesla investigators access to view his Dropbox account, where they discovered Defendant’s claims were outright lies,” Tesla alleges. “[…] Defendant then claimed he somehow “forgot” about the thousands of other files he stole (almost certainly another lie).”

Tesla has also accused the engineer of attempting to cover his tracks by “hurriedly deleting the Dropbox client and other files during the beginning of the interview,” leaving the company to wonder whether or not other confidential data may have been stolen, noting that Tesla has “no way to know” if any further leaks or transfers to third-parties have occurred. 
A jury trial has been requested. Tesla is claiming breach of contract and the theft of trade secrets. 
“Access to the scripts would enable engineers at other companies to reverse engineer Tesla’s automated processes to create a similar automated system in a fraction of the time and with a fraction of the expense it took Tesla to build it,” Tesla says. “The scripts also would inform competitors of which systems Tesla believes are important and valuable to automate and how to automate them — providing a roadmap to copy Tesla’s innovation.”
Speaking to the New York Post, Khatilov claims the issue is a misunderstanding, with files “unintentionally” moved into Dropbox. Khatilov added that he was unaware of the lawsuit until contacted by the publication.
In 2018, Tesla sued process technician Martin Tripp for leading “gigabytes” of data to outsiders, including “dozens of confidential photographs and a video of Tesla’s manufacturing systems.” For the past two years, Tripp and Tesla have been involved in the legal dispute, ending only when a settlement was recently agreed upon in which the former employee will pay Tesla $400,000.
Last year, Tesla launched a lawsuit against a former employee for allegedly sabotaging operations at the company’s Fremont, California plant. 
In other news concerning Tesla’s CEO Elon Musk this month, the entrepreneur said last week that he intends to contribute $100 million to a prize fund for viable carbon capture projects to combat global warming. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More