Information Technology

A fake COVID-19 vaccine website stealing visitors’ data has been shut down by the Justice Department, according to the U.S. Attorney’s Office for the District of Maryland.The people behind “freevaccinecovax.org” made the website look like it for a biotechnology company working on the vaccine for COVID-19, but it actually was being used by cybercriminals for “fraud, phishing attacks, and/or deployment of malware.”The site now has a large banner saying it has been seized by the federal government. “This is the ninth fraudulent website seeking to illegally profit from the COVID-19 pandemic that we have seized,” Acting U.S. Attorney Jonathan Lenzner said in a statement. Lenzner noted that the website is one of thousands that have popped up since the pandemic began in early 2020. Cybercriminals have leveraged the fear and interest around COVID-19 to propagate a variety of scams or efforts to spread malware. Lenzner added that the government is “providing the vaccine free of charge to people living in the United States” and that no one should ever click on anything offering the vaccine for sale. The affidavit filed in court by the Justice Department says the scam was initially uncovered by the HSI Intellectual Property Rights Center and the HSI Cyber Crimes Center. The website was allegedly created from an IP address in Strasbourg, Germany but was registered in Russia, according to the Justice Department. 

It was created on April 27 and the site’s homepage featured the logos of a number of well-known healthcare organizations like the World Health Organization, Pfizer, and the United Nations High Commissioner for Refugees. The website asked visitors to enter their location and then automatically downloaded a PDF file that users could fill out and upload. It is unclear how many people visited the site and filled out the PDF. Eric Howes, principal lab researcher at cybersecurity firm KnowBe4 said both the domain itself and the operation associated with it illustrate just how useful the COVID-19 pandemic has been for malicious actors looking to cash in on other people’s misery. A bogus vaccine website offers bad actors a wide range of potential social engineering schemes, Howes explained, including offers for free access to vaccine supplies to bogus investment schemes. “COVID-19 has been the gift that keeps on giving for fraud artists over the past year,” Howes said. “While authorities are to be lauded for shutting down this domain, one wonders how many more of them pushing similar fraudulent schemes are out there on the internet. Dozens? Hundreds? Thousands? Moreover, how long will it be before the parties behind this operation simply set up another domain and continue their operations?”  More

Since March 2020 there has been an increase of of VPN (Virtual Private Network) discount-related searches as Americans search for a way to feel secure online, according to a new report.

ZDNet Recommends

New York, NY-based coupon engine CouponFollow, part of NextGen Shopping surveyed 1,666 US adults before the pandemic and a further 1,834 US adults in February 2021 to understand how Americans view their internet security and data privacy.Also: What is a VPN and why do you need one? Everything you have to knowThe report showed that almost seven in ten (69%) of Americans are concerned about the security of their data when using public Wi-fi, and nearly two in three (64%) are worried about it when using the internet at home. A similar percentage (65%) are concerned that their medical or financial data might be shared — or sold on — by their ISP.Online privacy worries almost half (47%) of Americans who are concerned about their privacy when using public Wi-Fi. Nearly a third (30%) worry about their privacy even when using the Internet at home.
CouponFollow
Online fraud and hacking is a concern for Americans with over one in three (35%) knowing someone who has had their social media account hacked or hijacked — including them. Almost half of Millennials (48%) reported this happening.

In October 2020 the UK’s data privacy watchdog fined the Marriott hotel chain for a data breach that could have affected up to 339 million guests. Even social media sites like Facebook has suffered data leaks.One in three have had, or know someone who has had their password stolen, and (52%) of Millennials and Gen Z reported the same. Also: How to set up and use a VPN on Windows, Mac, iOS, or AndroidOnly 12% of Baby Boomers reported having their password stolen, and one in five (20%) had a social media account hacked or hijacked — reflecting the amount of time they spend online. Although one in three (35%) Americas use a VPN, 33% reported that they do not know what a VPN is. Men are more likely to know what a VPN is, but almost half of Baby Boomers (49%) do not know what a VPN is. Even two in five (40%) of VPN users do not understand what the term VPN means.
CouponFollow
Using the internet at work does not seem to elicit the same level of concern. This could be due to the levels of antivirus and firewall protections that their employer has implemented on their devices. Perhaps it is due to the type of sites that people browse on their work devices, here, less than one in three (32%) are worried about their security. Less than one in five (18%) are concerned about their privacy when browsing the web from a work device.Over one in ten (12%) started to use a VPN in 2020, and one in five (21%) installed a VPN to enable them to work from home. Also: Stop using your work laptop or phone for personal stuffUp to 35% of Americans already use a VPN for anonymous browsing (45%), work access (45%), or for shopping online (21%). Only 12% use it for Torrenting or P2P file sharing. As hacking attempts and breaches grow Americans have good reason to be cautious. Parler’s data leak exposed millions of posts as 70TB of data was scraped from the platform, and The ParkMobile app data breach exposed data from 21 million users.Being ultra-careful online will be the only way to avoid being a victim of the next breach. More

IBM is rolling out new zero trust capabilities to Cloud Pak for Security, its platform for tackling cybersecurity threats across multicloud and hybrid environments. IBM said the features are aimed at helping customers adopt a zero trust approach to security by applying the principles of least privilege access; never trust, always verify, and assume breach. 

Among the key features are the new IBM Security zero trust blueprints, which are designed around common zero trust use cases. The four new blueprints are meant to provide a framework to help preserve customer privacy, secure hybrid and remote workforces, reduce the risk of insider threats, and protect hybrid cloud environments. IBM also introduced the as a Service version of IBM Cloud Pak for Security. The new consumption model lets customers choose between an owned or hosted deployment model based on their environment and needs.Meanwhile, a new partnership between IBM and Zscaler was announced as part of an effort to address remote work and network security modernization. The alliance will combine IBM Security Services with Zscaler’s network security technology to deliver an end-to-end secure access service edge (SASE) solution. Dow Chemical is an early customer working with IBM Security and Zscaler as part of its remote/hybrid workforce modernization strategy. Launched in 2019 as the foundation of IBM’s open security strategy, Cloud Pak for Security is designed to glean threat information and insights from various sources without having to move data. The system leverages IBM’s investment in Red Hat, including Open Shift, and is designed specifically to unify security across hybrid cloud environments.Over the last year IBM has expanded the capabilities within Cloud Pak for Security to address some of the key components of threat management — such as detection, investigation and response — using AI and automated workflows. In October, IBM added a new integrated data security hub that promises to bring data security insights directly into threat management and security response platforms.  More

The US Department of Defense significantly has expanded its bug bounty program to all publicly accessible information systems, including not just websites but also networks, frequency-based communication, Internet of Things, and industrial control systems. The DoD bug bounty, which is overseen by the DoD’s Cyber Crime Center (DC3), is now much broader than the “Hack the Pentagon” pilot kicked off in 2016 with partner HackerOne. Hackers were restricted to probing DoD’s public-facing websites and applications. Brett Goldstein, director of the Defense Digital Service, said the DoD’s bug bounty “allows for research and reporting of vulnerabilities related to all DoD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more”, according to a DoD press release.  “This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DoD,” said Goldstein.The DoD says that since the bug bounty launched, it had received more than 29,000 vulnerability reports from hackers. More than 70 percent of them determined to be valid after triage.   Last month DC3 launched another bug bounty pilot called the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), which aims to improve the security of defense contractors. It’s also being run on HackerOne. Carnegie Mellon University Software Engineering Institute conducted a feasibility study in 2020 and recommended the pilot program proceed. 

“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” said DC3 director Kristopher Johnson.Johnson said he expects the number of bug reports it receives to “drastically increase” due to the broader scope of the program, which now allows security researchers to report bugs they wouldn’t have been allowed to in the past.     More

A massive distributed denial of service (DDoS) attack took down the websites of more than 200 organisations across Belgium, including government, parliament, universities and research institutes. The DDoS attack started at 11am on Tuesday 4 May and overwhelmed the web sites with traffic, rendering their public-facing sites unusable for visitors, while the attack overwhelmed internal systems, cutting them off from the internet.

The attack targeted Belnet, the government-funded ISP provider for the county’s educational institutions, research centres, scientific institutes and government services – including government ministries and the Belgian parliament. Some debates and committee meetings had to be postponed as users couldn’t access the virtual services required to take part. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Belgium’s central authority for cybersecurity, the Center for Cybersecurity Belgium (CCB), was contacted following the attack in order to help contain and resolve it. One of the reasons the attack was so disruptive was because those behind the disruption kept altering the techniques behind it. “The fact that the perpetrators of the attack constantly changed tactics made it even more difficult to neutralize it,” said Dirk Haex, technical director at Belnet. A day on from the DDoS attack, an update from Belnet said its services are available again but that the service provider is remaining vigilant about potential follow-up attacks.

“We are fully aware of the impact on the organizations connected to our network and their users and we are aware that this has profoundly disrupted their functioning,” said Haex. A DDoS attack is designed purely with the intent of disrupting web sites and services by taking them offline by overwhelming them with an excessive amount of traffic. In many cases, DDoS attacks will exploit servers, computers and Internet of Things devices that have been taken control of by cyber criminals and roped into a botnet – an army of devices controlled by cyber attackers – using that traffic to overwhelm the capabilities of the target to the extent it becomes inaccessible for anyone. SEE: This malware has been rewritten in the Rust programming language to make it harder to spot The intent of the attackers is purely disruption and Belnet have stated that there’s been no data breach or theft of data as a result of the attack, nor did cyber criminals infiltrate the network – they just overwhelmed it with web traffic. According to Belnet, it’s unclear who was behind the attack, but the network provider is investigating it. Belnet has also filed a complaint with the Federal Computer Crime Unit.

MORE ON CYBERSECURITY More

Google has revealed Chrome 90 has adopted a new Windows 10 security feature called “Hardware-enforced Stack Protection” to protect the memory stack from attackers.   Hardware-enforced Stack Protection, which Microsoft previewed in March 2020, is designed to protect against return oriented programming (ROP) malware attacks, by using CPU hardware to protect an application’s code while running inside CPU memory. 

The added protection is enabled in Chrome 90 on Windows 20H1 with December update or later, and on Intel 11th Gen or AMD Zen 3 CPUs, which feature Control-flow Enforcement Technology (CET).SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)For several years Intel and Microsoft have been working on CET to thwart ROP attacks, which can bypass existing memory-exploit mitigations to install malware.CET introduces “shadow stacks”, which are used exclusively for control transfer operations. These shadow stacks are isolated from the data stack and protected from tampering.Intel explained in its document on CET: “When shadow stacks are enabled, the CALL instruction pushes the return address on both the data and shadow stack. The RET instruction pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor signals a control protection exception (#CP).”

Google’s Chrome platform security team warns that the shadow stack might cause problems for some software loaded into Chrome. “[CET] improves security by making exploits more difficult to write. However, it may affect stability if software that loads itself into Chrome is not compatible with the mitigation,” the Chrome security team notes. Google, however, has also provided details for developers who need to debug a problem in Chrome’s shadow stack. Developers can see which processes have Hardware-enforced Stack Protection enabled in Windows Task Manager. Google describes ROP attacks as where “attackers take advantage of the process’s own code, as that must be executable.” The Chrome team explain how CET in Chrome works on Windows, with the operating system handling the comparison of return addresses from the “normal” stack and the shadow stack. If they don’t match, Windows raises an exception.”Along with the existing stack, the cpu maintains a shadow stack. This stack cannot be directly manipulated by normal program code and only stores return addresses,” the Chrome team explains. “The CALL instruction is modified to push a return address (the instruction after the CALL) to both the normal stack, and the shadow stack. The RET (return) instruction still takes its return address from the normal stack, but now verifies that it is the same as the one stored in the shadow stack region. If it is, then the program is left alone and it continues to work as it always did. If the addresses do not match then an exception is raised which is intercepted by the operating system (not by Chrome).” SEE: Google: Here’s how we’re toughening up Android securityThe operating system has an opportunity to modify the shadow region and allow the program to continue, but in most cases an address mismatch is the result of a program error so the program is immediately terminated, Google explained. Microsoft in February also released developer guidance for Hardware-enforced Stack Protection. Microsoft’s Chromium-based Edge from version 90 has enabled the protection in “compatibility mode”.  More

A banking Trojan focused on Brazilian targets has evolved from using pornography as a distribution model to phishing email models. 

ESET researchers have named the Trojan Ousaban, a mixture of “boldness” and “banking trojan.” Kaspersky researchers track the malware as Javali, one of four major banking Trojans in Brazil — alongside Guildma, Melcoz, and Grandoreiro.  Thought to have been in active circulation since 2018, the malware is written in Delphi, a coding language commonly employed for Trojans in the region.  The term “boldness” has stemmed from the malware’s roots in using sexual imagery as a lure and distribution vector. According to the researchers, some of the images used could be considered “obscene.”  However, Ousaban has moved on since its roots in pornography and has now adopted a more typical approach in distribution. Phishing emails are sent using themes such as messages claiming there were failed package delivery attempts that ask users to open files attached to the email.  The file contains an MSI Microsoft Windows installer package. If executed, the MSI extracts a JavaScript downloader that fetches a .ZIP archive containing a legitimate application which also installs the Trojan through DLL side-loading. 

A more complicated distribution chain has also been traced, in which the legitimate app has been tampered with to fetch an encrypted injector that obtains a URL containing remote configuration files for a command-and-control (C2) server address and port, as well as another malicious file that changes various settings on a victim’s PC.  Ousaban contains typical capabilities of a Latin American banking Trojan, including the installation of a backdoor, keylogging, screenshot capabilities, mouse and keyboard simulation, and the theft of user data.  When victims visit banking institutions, screen overlays are employed to harvest account credentials. However, unusually for malware in the region, Ousaban will also attempt to steal account usernames and passwords from email services by using the same overlay technique.  ESET says the Trojan’s persistence mechanism includes the creation of either a .LNK file or VBS loader in the Windows startup folder, or alternatively, the malware will modify the registry. In addition, Ousaban uses Themida or Enigma binary obfuscation to hide its executable files and will inflate their sizes to roughly 400MB “to evade detection and automated processing.” Kasperksky says that Javali/Ousaban has expanded beyond its Brazilian base in the past year or so, but ESET has yet to find any links between the Trojan and a suggested presence in Europe.  Last month, ESET explored Janeleiro, a .NET Trojan operating in Brazil with similarities to Casbaneiro, Grandoreiro, and Mekotio. This banking malware is being used in targeted attacks against enterprise and government entities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new cryptocurrency stealer variant is being spread through a global spam campaign and potentially through Discord channels. 

Dubbed Panda Stealer, Trend Micro researchers said this week that the malware has been found targeting individuals across countries including the US, Australia, Japan, and Germany. The malware begins its infection chain through phishing emails and samples uploaded to VirusTotal also indicate that victims have been downloading executables from malicious websites via Discord links.  Panda Stealer’s phishing emails pretend to be business quote requests. So far, two methods have been linked to the campaign: the first of which uses attached .XLSM documents that require victims to enable malicious macros. If macros are permitted, a loader then downloads and executes the main stealer.  In the second chain, an attached .XLS file contains an Excel formula that hides a PowerShell command. This command attempts to access a paste.ee URL to pull a PowerShell script to the victim’s system and to then grab a fileless payload.  “The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL,” Trend Micro says. “The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.”

Once downloaded, Panda Stealer will attempt to detect keys and addresses associated with cryptocurrency wallets holding funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH). In addition, the malware is able to take screenshots, exfiltrate system data, and steal information including browser cookies and credentials for NordVPN, Telegram, Discord, and Steam accounts. While the campaign has not been attributed to specific cyberattackers, Trend Micro says that an examination of the malware’s active command-and-control (C2) servers led the team to IP addresses and a virtual private server (VPS) rented from Shock Hosting. The server has since been suspended.  Panda Stealer is a variant of Collector Stealer, malware that has been sold in the past on underground forums and through Telegram channels. The stealer has since appeared to have been cracked by Russian threat actors going under the alias NCP/su1c1de.The cracked malware strain is similar but uses different infrastructure elements such as C2 URLs and folders. “Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel,” the researchers note. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.” Trend Micro says there are similarities in the attack chain and fileless distribution method to Phobos ransomware. Specifically, as described by Morphisec, the “Fair” variant of Phobos is similar in its distribution approach and is being constantly updated to reduce its footprint, such as reducing encryption requirements, in order to stay under the radar for as long as possible.  The researchers also noted correlations between Phobos and LockBit in an April 2021 report.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More