Information Technology

Million of users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for hackers.
Kittichai Boonpong / EyeEm / Getty Images
Millions of households in the UK are using old broadband routers that could fall prey to hackers, according to a new investigation carried out by consumer watchdog Which? in collaboration with security researchers. After surveying more than 6,000 adults, Which? identified 13 older routers that are still commonly used by consumers across the country, and sent them to security specialists from technology consultancy Red Maple Technologies. Nine of the devices, it was found, did not meet modern security standards.  Up to 7.5 million users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for malicious actors to spy on people as they browse, or to direct them to spam websites. 

One major issue concerns the lack of upgrades that older routers receive. Some of the models that respondents reported using haven’t been updated since 2018, and even in some cases since 2016.  The devices highlighted for their lack of updates included Sky’s SR101 and SR102, the Virgin Media Super Hub and Super Hub 2, and TalkTalk’s HG523a, HG635, and HG533. Most of the providers, when they were contacted by Which?, said that they regularly monitor the devices for threats and update them if needed.  Virgin dismissed the research, saying that 90% of its customers are using later-generation routers. TalkTalk told ZDNet that it had nothing to add to the release. 

The researchers also found a local network vulnerability with EE’s Brightbox 2, which could let a hacker take full control of the device.  An EE spokesperson told ZDNet: “We take the security of our products and services very seriously. As detailed in the report, this is very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. (…) We would like to reassure EE Brightbox 2 customers that we are working on a service patch which we will be pushing out to affected devices in an upcoming background update.” In addition, BT Group – which owns EE – told Which? that older routers still receive security patches if problems are found. Red Maple’s researchers found that old devices from BT have been recently updated, and so did routers from Plusnet. The consumer watchdog advised that consumers who are still using one of the router models that are no longer being updated ask their providers for a new device as soon as possible. This, however, is by no means a given: while Virgin Media says that it gives free upgrades for customers with older routers, the policy is not always as clear with other providers. “It doesn’t hurt to ask,” said Hollie Hennessy, senior researcher at Which?. “While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old.” For consumers whose contracts are expiring soon, Hennessy suggested asking for a new router as a condition to stick with a given provider – and consider switching if the request is not met. Weak passwords remain a top concern On top of being denied regular updates, many older routers were also found to come with weak default passwords, which can be easily guessed by hackers and grant an outsider access.  This was the case of the same TalkTalk and Sky routers, as well as the Virgin Media Super Hub 2 and the Vodafone HHG2500. The first thing to do, for consumers who own one of these models, is to change the password to a stronger one, as opposed to the default password provided, said Which?. The organization, in fact, is calling for the government to ban default passwords and prevent manufacturers from allowing consumers to set weak passwords as part of a new legislation that was proposed last month. As part of an effort to make devices “secure by design”, the UK’s department for Digital, Culture, Media and Sport has announced a new law that will stop manufacturers from using default passwords such as “password” or “admin”, to better protect consumers from cyberattacks. The future law would also make it mandatory to tell customers how long their new product will receive security updates for. In addition, manufacturers would have to provide a public point of contact to make it easier to report security vulnerabilities in the products. In a similar vein, Which? called for more transparency from internet service providers. The organization said that providers should be more upfront about how long routers will be receiving firmware and security updates, and should actively upgrade customers who are at risk. Only Sky, Virgin Media and Vodafone appear to have a web page dedicated to letting researchers submit the vulnerabilities that they found in the companies’ products, according to Which?.  More

Google will soon start pushing more Gmail users and Google Account holders to enable two-step verification — the extra layer of security that can protect people when their credentials have been phished or exposed through a data breach.  May 6 is “World Password Day” which is largely about making people less reliant on them for securing online accounts.  Google’s contribution this year is to nudge more people into enabling two-step verification, otherwise known as two-factor authentication.  Today, Google prompts its two billion Gmail users to enroll in two-step verification (2SV) but soon it will be automatically enrolling users.  “Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup),” Mark Risher, director of product management in Google’s Identity and User Security group, notes in a blogpost.  “You may not realize it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious,” he says.   That second factor, be it a security key or a smartphone, means that someone in possession of your username and password — in most cases — can’t log into your account unless they have physical access to your device. 

Google has refined its processes over the years to make 2SV less of an obstacle, but it can still be fiddly if you change a mobile phone number. Today, after signing in with a username and password, users who have enrolled in 2SV get a code via SMS, voice call or the Google app.  The other option is a security key like Google’s Titan key. Google has also built its security keys in Android phones and last year delivered the same capability for iPhones via its Smart Lock app for iOS.  “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone,” notes Risher.  Passwords, unfortunately, are still rife some 17 years after Microsoft co-founder Bill Gates predicted they would one day disappear. Since then world has only seen a proliferation of new username and password combinations, but two-factor authentication is more widely adopted and supported in online consumer services and in the enterprise.  Multi-factor authentication does work. According to Microsoft, 99.9% of the compromised accounts it tracks every month did not use multi-factor authentication.  Microsoft has also been doing its bit in tackling outdated password policies that lead to people choosing bad passwords.  Two years ago it changed a Windows 10 security baseline that until then recommended enterprise users change their password every few months. “Periodic password expiration is an ancient and obsolete mitigation of very low value,” Microsoft declared at the time.  Google’s other key password assistant is the built-in password manager in Chrome. Apple offers the same feature in its Safari browser.  Risher also points to an experimental feature in Chrome called “password import” recently spotted by the Verge. It lets users import passwords from a CSV file.   More

An open database has revealed the identities of over 200,000 individuals who appear to be involved in Amazon fake product review schemes. 

There is an ongoing battle between the e-commerce giant and dubious sellers, worldwide, who wish to hamstring competitors and gain an edge by generating fake reviews for their products. This can include paying individuals to leave a glowing review or by offering free items in return for positive, public feedback.  How they operate and stay under Amazon’s radar varies, but an open ElasticSearch server has exposed some of the inner workings of these schemes.  On Thursday, Safety Detectives researchers revealed that the server, public and online, contained 7GB of data and over 13 million records appearing to be linked to a widespread fake review scam.  It is not known who owns the server but there are indicators that the organization may originate from China due to messages written in Chinese, leaked during the incident.  The database contained records involving roughly 200,000 – 250,000 users and Amazon marketplace vendors including user names, email addresses, PayPal addresses, links to Amazon profiles, and both WhatsApp and Telegram numbers, as well as records of direct messages between customers happy to provide fake reviews and traders willing to compensate them. 

According to the team, the leak may implicate  “more than 200,000 people in unethical activities.”The database, and messages contained therein, revealed the tactics used by dubious sellers. One method is whereby vendors send a customer a link to the items or products they want 5-star reviews for, and the customer will then make a purchase. Several days after, the customer will leave a positive review and will send a message to the vendor, leading to payment via PayPal — which may be a ‘refund,’ while the item is kept for free.  As refund payments are kept away from the Amazon platform, it is more difficult to detect fake, paid reviews.  The open ElasticSearch server was discovered on March 1 but it has not been possible to identify the owner. However, the leak was noticed and the server was secured on March 6.”The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors,” the researchers said. “What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.” Amazon’s community and review guidelines do not allow vendors to review their own products or offer a “financial reward, discount, free products, or other compensation” in return for positive reviews — and this includes through third-party organizations. However, as Amazon is a prominent online marketplace, it is likely that some vendors will continue to try and abuse review systems to bolster their revenue.  “We want Amazon customers to shop with confidence knowing that the reviews they read are authentic and relevant,” an Amazon spokesperson commented. “We have clear policies for both reviewers and selling partners that prohibit abuse of our community features, and we suspend, ban, and take legal action against those who violate these policies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

There’s been a big rise in the number of ransomware gangs that threaten to release information stolen from the victims if they don’t pay the ransom for the decryption key required to restore their network.The idea behind these ‘double extortion’ ransomware attacks is that even if the victim organisation believes it can restore its network without giving into the ransom demands of cyber criminals – which regularly cost millions of dollars in Bitcoin – the threat of sensitive information about employees or customers being exposed could still push victims to giving into the blackmail, and paying the ransom.

Even then, there’s no guarantee that the cyber criminals behind the ransomware attack will delete the stolen data – they could exploit it down the line, or sell it onto other crooks on dark web forums.SEE: Security Awareness and Training policy (TechRepublic Premium)These attacks have become extremely successful – and lucrative – for cyber criminals and cybersecurity researchers at ZeroFox have tracked the activity of over two dozen dark web leak sites associated with ransomware attacks over the past year, as more and more cyber-criminal groups move towards this form of extortion.The ransomware gangs that are most successful with double extortion attacks are those that first adopted it in their attacks, such as Revil, Maze, Netwalker, and DoppelPaymer, but others have followed in their footsteps and are finding plenty of success in 2021.Groups like Conti and Egregor have become most prolific over the course of this year – with the report pointing out how the latter group has allegedly gained success by recruiting members of other ransomware gangs, including Maze, which supposedly shut down in November last year.

The recruitment of authors of other ransomware operations indicates how this particular type of malware has developed into a competitive market. Much like legitimate software companies, groups want to hire the best people to ensure that their product is as successful as possible – unfortunately, in this case, success comes at the cost of innocent victims who find their networks have been encrypted by a ransomware attack.But it isn’t just threats to leak data now, as the report points out how some ransomware groups are launching Distributed Denial of Service (DDoS) attacks against victims, overwhelming what remains of the network with traffic to the extent that it isn’t usable – and leveraging that as an additional method of forcing the victim to pay up.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upUltimately, double extortion techniques have become so common amongst ransomware gangs because the attacks work and many organisations are unfortunately giving into ransom demands as cyber criminals in this space get more persistent and more aggressive.For organisations, the best way to avoid having to make a decision over paying cyber criminals in the hope they don’t publish their stolen data online is for their network to be secure enough to prevent cyber criminals from being able to get in to start with.Cybersecurity procedures that can stop cyber criminals from infiltrating the network in the first place include applying security patches as soon as possible, so attackers can’t exploit known vulnerabilities and deploying two-factor authentication across all users, so that if attackers do breach an account, it’s difficult for them to move laterally around the network.MORE ON CYBERSECURITY More

Security researchers have provided insight into how a single student unwittingly became the conduit for a ransomware infection that cost a biomolecular institute a weeks’ worth of vital research. 

In a report due to be published on Thursday, Sophos described the case, in which the team was pulled in to neutralize an active cyberattack on a biomolecular facility in Europe.  Sophos found that Ryuk ransomware had made its way onto the facility’s network, and set out to determine how the infection took place.  Ryuk is a prolific form of malware that is constantly evolving. The Ryuk family, including new strains equipped with worm-like capabilities and the ability to self-propagate over networks, encrypts networks and files, locking victims out of their systems until a ransom payment is made.  According to AdvIntel and HYAS, the operators behind Ryuk are estimated to have generated over $150 million in profit from their victims, with payments often made in Bitcoin (BTC).  While the name of the biomolecular institute has not been disclosed, the European organization is involved in the life sciences and research related to COVID-19. The institute works closely with local universities and collaborates with students in some projects.  It was a student, unfortunately, that proved to be the unwitting conduit for the Ryuk infection. 

The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead.  As cracked software — modified to remove elements such as trial expiration dates or the need for a license — is deemed suspicious, antivirus software will usually flag and block its execution.  In this case, Windows Defender triggered, and so the student disabled the software as well as their firewall.  However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student’s access credentials to the biomolecular institute’s network. In hindsight, in what was an unwise decision, the research institute allowed students to use their personal devices to access its network via remote Citrix sessions.  13 days after the student executed the ‘cracked’ software, a remote desktop protocol (RDP) connection was registered by the institute, using the student’s credentials, under the name “Totoro,” — an anime character from a 1988 film.  “A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely,” Sophos says. “This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection.” The team believes that access to the institute was sold on in an underground market, and the RDP connection may have been made in order to test access.  It was 10 days after this connection was made that Ryuk was deployed on the network, costing the institute a week of research data as backups were not fully up-to-date. In addition, system and server files had to be “rebuilt from the ground up,” according to the researchers, before the institute could resume normal working activity.  “This is a cautionary tale of how an end user’s security misjudgement can leave an organization exposed to attack when there are no solid security policies in place to contain the mistake,” commented Peter Mackenzie, manager of Rapid Response at Sophos. “In this instance, the target was at risk the moment the external user clicked the ‘install’ button for a cracked copy of a software tool that turned out to be pure malware. […] The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The maintainers of the widely-used Exim email server are urging admins to update to Exim version 4.94.2 due to 21 newly disclosed security flaws. “All versions of Exim previous to version 4.94.2 are now obsolete. The last 3.x release was 3.36. It is obsolete and should not be used,” the University of Cambridge-backed project said in an update. 

“This is a security release,” the project adds, referring to fixes for 21 flaws that can be exploited by anyone over the internet. SEE: Network security policy (TechRepublic Premium)The new Exim release addresses security flaws reported by researchers at security firm, Qualys.   The bugs are a potentially major threat to internet security given that nearly 60% of internet servers run on Exim mail transfer agent (MTA) software and is by far the most widely used email server. As Qualys points out, IoT search engine Shodan returns 3.8 million results for Exim servers exposed on the internet, of which two million are located in the US. Exim is so widely deployed in part because it often ships as the default email server with popular Linux distributions like Debian.  

“Exim Mail Servers are used so widely and handle such a large volume of the internet’s traffic that they are often a key target for hackers,” said Bharat Jogi, a senior manager of the vulnerability and threat research unit at Qualys.  “The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system – allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts, and change sensitive settings on the mail servers.”Jogi urged admins — many of whom run Exim servers at ISPs, government agencies, and universities — to apply the patches “immediately” given the breadth of the attack surface for this vulnerability.Such flaws have been rapidly exploited in the past: a previous remote code execution flaw in Exim that was patched in mid-2019 was also discovered by researchers at Qualys. The NSA eventually revealed that attackers had been exploiting the flaw, tracked as CVE-2019-10149, within two months of its public disclosure.  The NSA warned in June 2020 that a hacking group known as Sandworm, within Russia’s intelligence service, GRU, had been exploiting the Exim flaw since at least August 2019. That bug’s impact is the same as the 21 newly disclosed vulnerabilities. The NSA said the attackers exploited the bug on victims’ public-facing MTAs by sending a specially crafted command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Victims would then automatically download and execute a shell script from a domain controlled by the Sandworm group.SEE: This malware has been rewritten in the Rust programming language to make it harder to spotMTAs are an attractive target for attackers because they’re generally exposed on the internet. Qualys has posted a blog detailing each of the 21 bugs and says its researchers have developed exploits to obtain full root privileges. The company reported an initial set of bugs to Exim maintainers on 20 October, 2020 and provided 26 patches to Exim.  CVEDescriptionTypeCVE-2020-28007Link attack in Exim’s log directoryLocalCVE-2020-28008Assorted attacks in Exim’s spool directoryLocalCVE-2020-28014Arbitrary file creation and clobberingLocalCVE-2021-27216Arbitrary file deletionLocalCVE-2020-28011Heap buffer overflow in queue_run()LocalCVE-2020-28010Heap out-of-bounds write in main()LocalCVE-2020-28013Heap buffer overflow in parse_fix_phrase()LocalCVE-2020-28016Heap out-of-bounds write in parse_fix_phrase()LocalCVE-2020-28015New-line injection into spool header file (local)LocalCVE-2020-28012Missing close-on-exec flag for privileged pipeLocalCVE-2020-28009Integer overflow in get_stdinput()LocalCVE-2020-28017Integer overflow in receive_add_recipient()RemoteCVE-2020-28020Integer overflow in receive_msg()RemoteCVE-2020-28023Out-of-bounds read in smtp_setup_msg()RemoteCVE-2020-28021New-line injection into spool header file (remote)RemoteCVE-2020-28022Heap out-of-bounds read and write in extract_option()RemoteCVE-2020-28026Line truncation and injection in spool_read_header()RemoteCVE-2020-28019Failure to reset function pointer after BDAT errorRemoteCVE-2020-28024Heap buffer underflow in smtp_ungetc()RemoteCVE-2020-28018Use-after-free in tls-openssl.cRemoteCVE-2020-28025Heap out-of-bounds read in pdkim_finish_bodyhash()Remote More

The Australian Criminal Intelligence Commission (ACIC) believes there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communication platform.”These platforms are used almost exclusively by SOC [serious and organised crime] groups and are developed specifically to obscure the identities of the involved criminal entities and enable avoidance of detection by law enforcement,” the ACIC declared. “They enable the user to communicate within closed networks to facilitate highly sophisticated criminal activity”.Consistency, at least: Cops are the only ones being lawful on the dark web, AFP declaresThe comments were made in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its inquiry into the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020. It told the committee it intends to use the powers extended to the ACIC under the Bill to focus efforts on understanding and gathering intelligence on SOC groups who are using encrypted communication platforms to conceal their criminal activities.The Bill, if passed, would hand the Australian Federal Police (AFP) and ACIC three new computer warrants for dealing with online crime.The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.

The ACIC said the Bill would allow it, through the collection, assessment, and dissemination of criminal intelligence and information, to inform national strategies to address transnational serious and organised crime.”To deliver on this purpose, the powers and capabilities of the ACIC must keep pace with technological trends and emerging threats to ensure the agency is able to adequately tackle serious cyber-enabled crime and sophisticated criminal groups using encrypted platforms,” it said.”The agency must be enabled to support law enforcement outcomes to protect Australians against the most sophisticated and high-threat actors, who increasingly utilise advanced communications technologies to mask their criminal activities.”Elsewhere: ACIC running into jurisdictional data troubles with new national firearms databaseAccording to the ACIC, the disruption, intelligence collection, and account takeover powers contained within the Bill complement the agency’s existing powers by providing new avenues to gather information and respond to serious crime occurring online and to criminals using dedicated encrypted communication platforms. “The measures in the Bill are grounded in the principle that the powers granted by Parliament to the agencies charged with enforcing the criminal law should not be eroded by advances in technology,” it wrote. “The Bill is designed to provide the ACIC and AFP with the ability to protect the Australian community from harms online in the same way they protect Australians in the physical world.”The ACIC believes the Bill addresses gaps in current electronic surveillance powers.Network activity warrants provided by the Bill will “immediately transform the ACIC’s ability to discover and understand serious criminal groups using the Dark Web and encrypted communication platforms to undertake and facilitate serious crimes”.”Currently, while the ACIC might be able to detect criminal behaviour on a hidden website or computer network, we cannot identify all the individuals participating in the criminal behaviour,” it explained. “For this reason, we require the ability to target and infiltrate the network, or class of computers, in which the crime is occurring so the members of the criminal group can be identified and the full nature and extent of the criminality can be detected through the collection of intelligence.”Data disruption warrants, meanwhile, would enable the ACIC to interfere with the data held on online criminal networks or devices, in order to frustrate the commissioning of serious criminal offences. “This will be particularly powerful in the context of disrupting criminal activity which is largely occurring online,” it wrote.Lastly, account takeover warrants, it said, would allow the agency to take control of an online account in conjunction with other investigatory powers, labelling it an “efficient method for agencies to infiltrate online criminal networks”. “This will play a crucial role in uncovering the identities of otherwise anonymous criminals, as well as gathering evidence of the initiation and commissioning of serious offences online, including on the Dark Web and where encrypted communication platforms are in use,” it said. MORE ON THE ‘HACKING BILL’ More

Image: Getty Images
After revealing late last month it had fallen victim to a cyber incident, UnitingCare Queensland has now named REvil/Sodin as the gang behind the attack.The organisation, which provides aged care, disability supports, health care, and crisis response services throughout the state, suffered the attack on Sunday, 25 April 2021.In a statement issued a few days later, UnitingCare said its systems were still hurting. On Wednesday, it said some of the organisation’s systems have since been inaccessible.The organisation also pointed the blame at REvil/Sodin as the source of the attack.”We can confirm that the external group claiming responsibility for this incident has identified themselves as REvil/Sodin,” it said.”With the assistance of leading experts and advisors, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached. “This investigation is continuing and we will continue to keep the people we care for updated in this regard, in addition to employees, regulators, and other stakeholders.”

The REvil (Sodinokibi) ransomware gang has been active for quite a while, dwarfing any other similar ransomware operations. Run as a Ransomware-as-a-Service (RaaS), the REvil gang rents its ransomware strain to other criminal groups.The figure demanded of UnitingCare has not been disclosed, but it was reported in March that Taiwanese giant Acer was struck by REvil ransomware, with the culprits demanding $50 million from the company.”Since the incident occurred, as part of our business continuity plan, back-up and downtime procedures have been in place to ensure continuity of our clinical and care services, and these procedures have been working very well,” UnitingCare said.It said at this point in time, there is no evidence that the health and safety of its patients, residents, or clients has been in any way compromised as a result of the attack.”As soon as we became aware of the incident, we engaged the support of leading external technical and forensic advisors. We also notified the Australian Cyber Security Centre of the incident and are continuing to work closely with them to investigate it,” UnitingCare added.”Since the outset of the incident, we have been in pro-active regular contact with all relevant regulatory and government departments.”Last year, the Australian Cyber Security Centre (ACSC) issued an alert to aged care and healthcare providers, notifying them of recent ransomware campaigns targeting the sector.”Cybercriminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks,” the ACSC wrote. “This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact.”Data breach notification to the Office of the Australian Information Commissioner became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.Since the mandate, the private health sector has been the most affected sector. The latest NDB report shows no change, with health accounting for 123 of the total 519 notifications in the six months to December 2020.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaRELATED COVERAGEEastern Health cyber ‘incident’ cancels some surgeries across MelbourneMeanwhile, the federal government’s COVID-19 booking system suffers day one ‘problems’.Swinburne University confirms over 5,000 individuals affected in data breachUniversity confirms the personal information included in the breach contained names, email addresses, and phone numbers of some staff, students, and external partiesTransport for NSW confirms data taken in Accellion breachIt is the latest government entity to be caught up in the attack on the Accellion file transfer system. More