Information Technology

ServiceNow is rolling out a unified platform to collect diagnostic information across enterprise applications, cloud and on-premises infrastructure to better automate incidents and prevent disruptions. The company is launching Agent Client Collector, or ACC, to deliver visibility and allow service and operations teams to automate incident resolution. ACC is also designed to proactively identify and prevent service disruptions. ServiceNow’s approach with ACC is to unify agents into one platform. Traditional agents are often silo-ed and focused on specific hardware, software and cloud platforms. ACC will also use its data to optimize spending. Features of ACC include:Policy-driven monitoring of applications and endpoints. ServiceNow is looking to enable customers to cut spending on standalone monitoring tools. Real-time visibility of endpoint configuration and performance data within an agent’s workspace via a feature called Live Asset View. Automation playbooks for service and operation teams. The automation playbooks will cover hardware asset management, which collects asset attributes and performance data, and software asset management focused on inventory, usage and spending optimization.
ServiceNow
ACC can support ServiceNow products across IT Operations Management (ITOM), IT Service Management (ITSM), Hardware Asset Management (HAM), Software Asset Management (SAM) and Security Operations (SecOps). More

Theres’s been a huge uptick in the proportion of malware using TLS or the Transport Layer Security to communicate without being spotted, cybersecurity firm Sophos reports. While HTTPS helps prevent eavesdropping, man-in-the-middle attacks, and hijackers who try to impersonate a trusted website, the protocol has also offered cover for cybercriminals to privately share information between a website and a command and control server —  hidden from the view of malware hunters. “It should come as no surprise, then, that malware operators have also been adopting TLS … to prevent defenders from detecting and stopping deployment of malware and theft of data,” Sophos said.Malware communications fall into three main categories: downloading more malware, exfiltration of stolen data, or command and control. All these types of communications can take advantage of TLS encryption to evade detection by defenders, the security company said.According to Sophos, a year ago 24% of malware was using TLS to communicate but today that proportion has risen to 46%. Sophos said a large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS as unwitting storage for malware components, as destinations for stolen data, or even to send commands to botnets and other malware.It also said it has seen an increase in the use of TLS use in ransomware attacks over the past year, especially in manually-deployed ransomware—in part because of attackers’ use of modular offensive tools that leverage HTTPS. 

“But the vast majority of what we detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages,” it said.”We found that while TLS still makes up an average of just over two percent of the overall traffic Sophos classifies as “malware callhome” over a three-month period, 56 percent of the unique C2 servers (identified by DNS host names) that communicated with malware used HTTPS and TLS.”One dropper it highlights is the PowerShell-based LockBit ransomware, which remotely grabbed scripts from a Google Docs spreadsheet via TLS. But malware operators often use multiple web services for different functions. 
Sophos More

Cyber criminals are trying to use vulnerabilities in Microsoft Exchange servers to add to their botnet for mining cryptocurrency – but the level of access they’re gaining means they could use their access for other, much more dangerous cyberattacks.Detailed by cybersecurity researchers at Cybereason, the Prometei botnet is a widespread global campaign that is targeting organisations in a multi-stage attack.

The cyber criminals behind the botnet are exploiting vulnerabilities in Microsoft Exchange Server as a means of penetrating networks. There are existing security updates, which can be installed in order to protect against attacks, but Prometei is scanning the internet for organisations that have yet to apply the patch and using that to gain a foothold on networks.SEE: Network security policy (TechRepublic Premium)Prometei isn’t targeting an organisation in particular; the attackers are just looking for any vulnerable networks they can exploit. According to researchers, the botnet has claimed victims in multiple industries in regions including North America, South America, Europe and East Asia. The main objective of the attackers is to install cryptojacking malware to mine for Monero – allowing the criminals to secretly use the processing power of infected devices to line their pockets with cryptocurrency. Prometei uses the vulnerabilities in Microsoft Exchange servers to gain initial access to the network and attempts to infect as many endpoints as it can – using a variety of known attack techniques to move laterally around networks.

These include harvesting login credentials, exploiting RDP vulnerabilities and even using older exploits including EternalBlue and BlueKeep to move around networks, performing the reconnaissance required to compromise as many machines as possible.Like the Microsoft Exchange Server vulnerabilities, EternalBlue and BlueKeep have received patches – but the attackers are able to exploit organisations that haven’t applied them across their network. “Unfortunately, having a patch available does not equal rapid deployment of the patch, as we have seen repeatedly in the past. For example, years after the EternalBlue exploit leaked and patches were available, we still kept seeing attackers exploiting this vulnerability,” Assaf Dahan, head of threat research at Cybereason told ZDNet. Those behind Prometei appear to want to achieve long-term persistence on the network and they do that by using techniques associated with sophisticated cyber-criminal operations and even nation-state hacking groups. For now at least, Prometei is focused on mining for cryptocurrency.”The longer they can remain undetected on the network, the more cryptocurrency is being mined. Therefore, they improved the botnet’s resilience, added stealth features to the malware and used techniques and tools that are many times associated with Advanced Persistent Threats,” said Dahan. “If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints,” he added. Not much is known about the cyber-criminal operation behind Prometei, but according to Cybereason analysis of the group’s activity suggests it’s Russian speaking – and it appears as if the group actively looks to avoid infecting targets in Russia.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doThe name of the botnet “Prometei” is also the Russian word for Prometheus, the titan God for fire in Greek mythology.Prometei is still believed to be actively scanning for new targets to infect – and the best way to avoid falling victim is to apply the critical security updates for Microsoft Exchange Server.”First and foremost, organisations should strive to have a good patch management procedure and to patch potentially vulnerable systems,” said Dahan. “But most importantly, IT and security teams should be proactive and continuously hunt for known threats,” he concluded.MORE ON CYBERSECURITY More

The US Department of Justice (DoJ) is forming a new task force to deal with the “root causes” of ransomware.

In an internal memo, the DoJ outlines the creation of a new initiative that will bring together current efforts in federal government to “pursue and disrupt” ransomware operations.As noted by CNN, this could include the takedown of command-and-control (C2) servers used to manage ransomware campaigns, as well as the legal seizure of “ill-gotten gains” generated by such schemes.  Popular ransomware strains include Petya, Locky, Maze, and CryptoLocker. These forms of malware encrypt drives on infected machines and operators then demand a ransom payment in return for a decryption key. Depending on the victim’s worth, blackmail demands can reach millions of dollars.  Over the past year or so, double-extortion tactics have also been put into play more widely, in which sensitive data is stolen before encryption begins. If a victim refuses to pay up, they may be threatened with the leak of this information to the public.  Recent examples of these tactics include the REvil ransomware gang’s targeting of Acer and Apple supplier Quanta.  The memo added that the new task force will also reach out to private sector organizations to gain more intelligence on ransomware threats and trends. Links between ransomware operations and state-sponsored threat actors will also be examined. 

Furthermore, the federal government intends to pour more resources into training. In light of the SolarWinds breach and Microsoft Exchange Server disaster, President Biden’s administration appears to be taking cybersecurity seriously. Earlier this week, the White House revealed a 100-day plan to tackle threats to the US electricity grid.  Acting Deputy Attorney General John Carlin said 2020 was the “worst year” to date when it comes to ransomware and extortion attempts.  “If we don’t break the back of this cycle, a problem that’s already bad is going to get worse,” Carlin told the Wall Street Journal.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Information Commissioner has issued Services Australia with a notice to pay a customer AU$19,890 as atonement for breaching her privacy.The woman was in receipt of Centrelink benefits administered by the Department of Human Services, now Services Australia. At the time, she lived with her then-partner, and as such, her entitlements were calculated by taking his income into consideration as their respective online accounts were linked.”One effect of ‘linking’ records meant that if the complainant were to update her address using her online account, her partner’s address on his online account would also be updated to reflect the change, and vice versa,” the commissioner’s finding detailed. “The agency’s practice was to continue to keep such records linked unless and until it verified any claimed separation on the part of one of the linked individuals.”An Apprehended Violence Order (AVO) was taken out against the then-partner in December 2015, which the man was later imprisoned for breaching. The woman shortly after attempted to lodge a “Claim for Crisis Payment: extreme circumstance and domestic violence” form with the agency, seeking what is referred to as a crisis payment. The agency denied this claim for payment on the basis that the complainant continued to reside at the original address, that the AVO did not exclude the former partner from returning to the original address, and that the complainant was still in a relationship with the partner, the commissioner’s finding explains.A “separation details form” was then filed, but it was marked as incomplete by the agency and the woman’s details, six months later, were still not updated.

In September 2016, the woman moved to a new address and claimed that she had notified the agency of this change by attending an office in person. The following month, the new address was entered as an update to her online account and was submitted, however, the change was not processed by the agency at that time — it wasn’t until January 2017 that the agency processed the change of address.The former partner’s online account was also updated to the new address at this time.Her marital status was also finally changed to reflect she was single.Subsequently, the former partner posted a screenshot of the new address to a social media platform used by the complainant with a comment “change your myGov”, the information commissioner said.The AU$19,980 Services Australia has been asked to pay comprises AU$10,000 for non-economic loss, AU$8,000 for reasonably incurred legal expenses, and AU$1,980 for reasonably incurred expenses in preparing a medical report.The agency denies that it interfered with the woman’s privacy, but it does not dispute that it disclosed the new address to the former partner and that when it was disclosed, it amounted to the complainant’s personal information.The agency said it “was unable to accept that claim in the absence of full address details for referees who could verify the separation”.The commissioner found the agency failed to ensure the complainant’s personal information of her separation status was kept accurate and up-to-date in breach of Australian Privacy Principle (APP) 10, similarly that her address was not accurate and up-to-date. It was also found the agency’s disclosure of the complainant’s personal information to the former partner breached APPs 6 and 11.”I find that the agency has breached APP 11 by failing to take reasonable steps to protect the complainant’s personal information, being her new address, from the unauthorised disclosure that breached APP 6,” the commissioner wrote.The agency has now updated its form to provide more protections from potential domestic violence situations.The commissioner has also directed the agency to engage an independent auditor within three months to assess its policies, procedures, and systems against the requirements of APP 11.In a second case, the commissioner has asked the agency to pay AU$1,000 for loss caused by the interference with the complainant’s privacy.The complainant contends that his privacy was breached by the agency when it provided his personal information to an external debt collection agency for the purposes of debt recovery due to the debts being “unlawful”. Due to this, the complainant is arguing that the disclosure of his information was not authorised under APP 6. He also claims that the agency breached APP 10 by disclosing the existence of the debts to the collection firm.The commissioner declared the agency engaged in conduct constituting an interference with the privacy of the complainant and must not repeat that conduct.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527RELATED COVERAGEServices Australia among those found breaching privacy lawsComplaint against the government department revealed it disclosed bank statements to someone the complainant took a Family Violence Order out on.Services Australia reported 20 security incidents to the ACSC in 2019-20Across Social Services, the NDIS, Veteran’s Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.Accidental personal info disclosure hit Australians 260,000 times last quarter85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More

Facebook has published new findings that unveil two Palestinian organisations have been running cyberespionage campaigns against government officials, student groups, and security forces.The two groups both used fake and compromised social media accounts posing primarily as young women, and also as Fatah or Hamas supporters, various military groups, journalists, and activists to build trust with people in order to trick them into installing malicious software.According to Facebook, one group dubbed as Arid Viper has been linked to the cyber arm of Hamas. Meanwhile, the other is linked to the Palestinian Preventive Security Service (PSS), one of the security arms of Palestine, where the current president is a member of the Fatah party. Fatah and Hamas have been engaged in a civil war since 2006.Publishing a threat report [PDF] of Arid Viper’s activity, Facebook said the threat actor used fully functional custom iOS surveillanceware that was capable of stealing sensitive user data from iPhones without requiring the devices to be jailbroken. The surveillanceware, labelled as Phenakite, was trojanised inside fully functional chat applications that used the open-source RealtimeChat code for legitimate reasons. This malware could also direct victims to phishing pages for Facebook and iCloud in order to steal credentials for those services. As this process used legitimate developer certificates, iOS devices did not need to be jailbroken to be surveilled. While Phenakite did not require a jailbreak for installation, once on a device, it needed to adhere to the usual operating system security controls that prevent access to sensitive information from unauthorised applications. To circumvent that, Phenakite came bundled with the publicly available Osiris jailbreak and the Sock Port exploit, which meant that Phenakite was capable of using Osiris to jailbreak all 64-bit devices on iOS 11.2 to 11.3.1 or the Sock Port exploit to extend this to devices running iOS 10.0 to 12.2 If the Osiris jailbreak was successful, Phenakite could then retrieve photos from the camera roll, take images with the device camera, retrieve contacts, silently record audio, access documents and text messages, and upload WhatsApp data.

The Android malware deployed by Arid Viper, meanwhile, required victims to install apps from third-party sources on their devices. The group used hundreds of attacker-controlled sites, along with the aforementioned fake social media accounts, to create the impression that the apps were legitimate in order to convince victims into installing them. The trojanised chat applications in both Android and iOS were primarily pretending to be dating apps. Examples of the trojanised chat applications.
Image: Facebook
In all instances, the successful installation of these tools did not require any exploits, which the report said suggests that Arid Viper operators heavily relied on social engineering to distribute their malware. Of particular concern to Facebook was that Arid Viper’s use of custom surveillanceware demonstrated that this capability was becoming increasingly attainable by adversaries even if they are not as technologically sophisticated. “As the technological sophistication of Arid Viper can be considered to be low to medium, this expansion in capability should signal to defenders that other low-tier adversaries may already possess, or can quickly develop, similar tooling,” Facebook said. Meanwhile, PSS used similar tactics of utilising social engineering to coerce their targets into installing Android and Microsoft malware, Facebook said. PSS malware, once installed onto devices, collected information such as device metadata, call logs, location, contacts, and text messages. In rare cases, it also contained keylogger functionality.Rather than targeting pro-Fatah individuals, the PSS used its malware to targets various groups, including people opposing the Fatah-led government, journalists, human rights activists, and military groups including the Syrian opposition and Iraqi military.According to Facebook, these findings are the first public reporting of this particular cyberespionage activity conducted by PSS.   Following the investigation into the conduct of Arid Viper and PSS, Facebook has released a set of indicators addressing such activity. The indicators include 10 Android malware hashes, two iOS malware hashes, eight desktop malware hashes, and 179 domains.Facebook has also notified targeted individuals and industry partners, which led to Arid Viper’s developer certificates being revoked and various accounts and websites being blocked or removed. Last month, Facebook said it disrupted a network of hackers tied to China that were attempting to distribute malware via malicious links shared under fake personas. The malware allegedly targeted around 500 users.Related Coverage More

Image: SIgnal
Phone scanning and data extraction company Cellebrite is facing the prospect of app makers being able to hack back at the tool, after Signal revealed it was possible to gain arbitrary code execution through its tools. Cellebrite tools are used to pull data out of phones the user has in their possession.”By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures,” Signal CEO Moxie Marlinspike wrote.”This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.” Usually, when vulnerabilities of this type are found, the issue is disclosed to the maker of the software to fix, but since Cellebrite makes a living from undisclosed vulnerabilities, Marlinspike raised the stakes. “We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future,” he said. The Signal CEO said that Cellebrite contains “many opportunities for exploitation” and he thought they should have been more careful when creating the tool.

For instance, Cellebrite bundles FFmpeg DLLs from 2012. Since that year, FFmpeg has had almost 230 vulnerabilities reported. Marlinspike also pointed out that Cellebrite is bundling two installers from Apple to allow the tools to extract data when an iOS device is used. “It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users,” he said. In a video dripping with references to the movie Hackers, Marlinspike showed an exploit in action, before rattling a sabre in the direction of Cellebrite. “In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software,” he said. “We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.” Marlinspike said he was incredibly lucky to have found a Cellebrite tool package laying on the ground while going for a walk. In December, Marlinspike lashed out at Cellebrite claims that it could crack Signal’s encryption. “Cellebrite posted something with a lot of detail, then quickly took it down and replaced it with something that has no detail,” Marlinspike wrote at the time. “This is not because they ‘revealed’ anything about some super advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages). They took it down for the exact opposite reason: it made them look bad. “Articles about this post would have been more appropriately titled ‘Cellebrite accidentally reveals that their technical abilities are as bankrupt as their function in the world.'” Related Coverage More

Advertisers want to be effective in the content they push to consumers, but the latter must be given the ability to opt-out if they do not want personalised advertisement. This remains essential even as the debate over Google’s Federated Learning of Cohorts (FLoC) rages on. Marketers typically would want to reach out to segments of their audience, rather than just a single consumer. This was what cohorts set out to do, said Acquia’s chief science officer Omer Artun, in a video call with ZDNet. Acquia offers tools that enable brands to create and track cohorts, as well as analyse their performance so they had the insights to improve their marketing campaigns. Snapshots of cohorts also could be captured to monitor how these audience segments evolved after the cohort was created. This allowed marketers to identify changes and trends in customer behaviour, and tweak their marketing activities to improve sales of items that were not selling well, for instance. 

Artun likened it to doctors treating an illness. Their primary goal here was not to know who the patients were, but to flush out the symptoms so they could identify the illness and decide on the treatment. Google’s use of cohorts, however, had drawn strong criticism mainly for how the tech giant would share a summary of recent browser history with marketers. It had said FLoC removed the need for individual identifiers whilst still enabling brands to reach people with relevant content and ads by targeting clusters of people with common interests. Google last week began testing the feature for Chrome users in several countries, including India, Australia, Indonesia, and Japan, but not in markets where the European Union’s GDPR (General Data Protection Regulation) was in place. Electronic Frontier Foundation (EFF) said in a post last month that the core design of FLoC involved sharing new information with advertisers that created new privacy risks. It pointed to browser fingerprinting as one key issue, as it gathered discrete pieces of information from a user’s browser a unique identifier for that browser. “If a tracker starts with your FLoC cohort, it only has to distinguish your browser from a few thousand others–rather than a few hundred million,” EFF said, adding that it would be easier for trackers to establish a unique fingerprint for FLoC users. 

The non-profit organisation added that FLoC also would share new personal data with trackers that could already identify users. “For FLoC to be useful to advertisers, a user’s cohort will necessarily reveal information about their behaviour,” it said. “Moreover, as your FLoC cohort will update over time, sites that can identify you in other ways will also be able to track how your browsing changes. Remember, a FLoC cohort is nothing more, and nothing less, than a summary of your recent browsing activity. You should have a right to present different aspects of your identity, in different contexts.”A few Chromium-based browsers including Vivaldi and Brave stepped up to say they had removed FLoC from their platforms over privacy concerns. WordPress also was considering blocking the Google feature from its blogging system. Search engine DuckDuckGo also released an extension that blocked FLoC. Asked for his comments over the latest developments, Artun told ZDNet there would be critics “to anything, anybody” with regards to advertising. “The idea is to create an efficient system of advertising while protecting privacy,” he said. “If you don’t want any advertising to be personalised, then opt-out [or] use another browser.”These alternative browsers operated to address a portion of the population that did not want advertising, he said. “FLoC is a good way to hide specific user information, but at the same time, group interests,” he added. Artun noted that if advertisers were rendered “blind”, then ads would be inefficient and consumers would end up paying more for whatever they wanted to purchase. Consumers should be able to control their own dataHe said several issues also remained unclear, such as whether first-party data could be matched with FLoC identifiers, hence, giving more information about users than was available today. He expressed confidence that such issues would be addressed in future that balanced privacy and ad targeting. He reiterated that anyone still could opt out of and that this process should be made easy for those who wished to do so. Artun further advocated the need for “a Delete option”, which would allow users such as him to view the cohorts they were segmented into and remove themselves from cohorts they did not want to be part of. “I should be able to go to a digital marketer’s platform and delete it,” he said. “Imagine if you can control the data and delete anything related to it. You don’t have that option right now. To be able to see the data and be able to erase or control the data is what I think will be the nirvana [for consumers].”He also called for more transparency on what online platforms such as Google and Amazon were doing with consumers’ data. Giving users control over their data was, in itself, personalisation, he added. “Transparency and control–there are the two things that are missing right now,” he noted. RELATED COVERAGE More