Information Technology

A wave of attacks against companies in Columbia uses a trio of Remote Access Trojans (RATs) to steal confidential, sensitive data.

The campaign, dubbed Operation Spalax, was revealed by ESET researchers on Tuesday. 
In a blog post, the cybersecurity firm said government and private entities in Columbia are being exclusively targeted by the threat actors, who seem to have a particular interest in the energy and metallurgical industries. 
ESET began tracking the campaign, which is ongoing, in the second half of 2020 when at least 24 IP addresses — likely compromised devices acting as proxies for the attackers’ command-and-control (C2) servers — were linked to a spate of attacks. 
To begin the infection chain against a target entity, the threat actors use a traditional method: phishing emails. The subjects of these fraudulent messages range from demands to attend court hearings to bank account freeze warnings and notifications to take a mandatory COVID-19 test. 
In some samples, agencies including the Office of the Attorney General (Fiscalia General de la Nacion) and the National Directorate of Taxes and Customs (DIAN) were impersonated.
Each email has a .PDF file attached, linking to a .RAR archive. If the victim downloads the package — located on OneDrive, MediaFire, and other hosting services — an executable file within triggers malware. 

The threat actors use a selection of droppers and packers to deploy the Trojan payloads, the purpose of all being to execute a RAT by injecting it into a legitimate process. 
The three payloads are all available commercially and have not been developed in-house by the cyberattackers. 
The first is Remcos, malware available on underground forums for as little as $58. The second RAT is njRAT, a Trojan most recently spotted in campaigns using Pastebin as an alternative to C2 structures, and the third is AsyncRAT, an open source remote administration tool. 
“There is not a one-to-one relationship between droppers and payloads, as we have seen different types of droppers running the same payload and also a single type of dropper connected to different payloads,” ESET notes. “However, we can state that NSIS droppers mostly drop Remcos, while Agent Tesla and AutoIt packers typically drop njRAT.”
The RATs are able to provide remote access control to the threat actors and also contain modules for keylogging, screen capture, clipboard content harvesting, data exfiltration, and both the download and execution of additional malware, among other functions. 
According to ESET, there are no concrete clues to attribution, however, there are some overlaps with APTC36, also known as Blind Eagle. This APT was connected to attacks in 2019 against Columbian entities in order to steal sensitive information. 
The attacker’s use of dynamic DNS services means that the campaign’s infrastructure is also constantly changing, with new domain names being registered for use against Columbian companies on a regular basis. 
ESET also noted links to research conducted by Trend Micro in 2019. The phishing tactics are similar, but whereas Trend Micro’s report relates to spying and potentially the targeting of financial accounts, ESET has not detected any use of payloads beyond cyberespionage. However, the company acknowledges that some of the targets of the current campaign — including a lottery agency — don’t appear to make logical sense just for spying activities. 
The cybersecurity firm added that due to the large and fast-changing infrastructure of this campaign, we should expect these attacks to continue in the region for the foreseeable future. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Facebook is working “24/7” to tackle content including “stop the steal” from spreading across the network ahead of the US Inauguration Day.

With the scenes at the Capitol building fresh in our minds and as US police continue to hunt down rioters involved in the siege, thoughts have turned toward the upcoming inauguration, when President-elect Joe Biden will be sworn into office on January 20.
The FBI has warned states of potentially armed protests ahead of and during the event, and in an attempt to prevent Facebook from becoming a means to incite further violence, the social network has begun preparing for Inauguration Day with “new urgency.”
According to Guy Rosen and Monika Bickert, Facebook VPs of Integrity and Global Policy Management, the company has assessed the next two weeks as a “major civic event.”
On January 11, the duo said the same teams used to tackle inappropriate content ahead of the US election are now in place to try and stop the spread of misinformation, conspiracies, and violent content. 
Facebook is now targeting “stop the steal,” a phrase used by Trump supporters who believe the election was stolen, on both the main network and Instagram. In the lead up ahead of the inauguration, Facebook is going beyond taking down the original stop the steal group and will now remove related pages, groups, and events that may be used to encourage violence. 
“It may take some time to scale up our enforcement of this new step but we have already removed a significant number of posts,” the company says. 

Facebook will also provide information to law enforcement when “legitimate” requests are made and will delete any content considered a “direct threat to public safety.”
During inauguration week, the tech giant will launch a Facebook News digest relating to the event as a source for legitimate news, in a similar manner to the hub launched for COVID-19. 
Facebook intends to maintain a block on US political or election-related adverts, including ads submitted by politicians. 
“We will stay vigilant to additional threats and take further action if necessary to keep people safe and informed,” Facebook says. 
Facebook also announced the hire of Roy Austin to help lead a new civil rights organization within Facebook. Austin is a Harris, Wiltshire & Grannis LLP civil rights attorney who will take the posts of VP of Civil Rights and Deputy General Counsel for the social network, starting January 19. 
Twitter, too, is taking action in an attempt to stop content being shared across the microblogging platform to “incite violence, organize attacks, and share deliberately misleading information about the election outcome.”
The company is permanently suspending accounts — the most high-profile of late being that belonging to US President Trump (@realDonaldTrump) — and in total, since Friday, a further 70,000 accounts have been wiped out. 
According to Twitter, in some cases, a single individual would control multiple accounts in order to spread QAnon content. 
“Accounts that have tweeted or retweeted [QAnon] associated content will continue to be subject to limited visibility across search, replies, and on timelines and are prohibited from being recommended to others by Twitter,” the company says. 
Twitter has also stopped tweets issued a warning label for violating civic integrity policies from being replied to, liked, or retweeted, although Quote Tweet is still active. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

New South Wales residents have been using a QR code scanner within the Service NSW app to check into businesses across the state to help health authorities with COVID-19 contact tracing.
The mandatory use of the Service NSW QR code was first announced last month, with Minister for Customer Service Victor Dominello on Tuesday revealing there have been over 30 million check-ins since the feature went live.
“This pandemic is tough enough,” he said in a Facebook post. “If people do not want to check in, they are not only putting public health at risk but also the economy at risk.
“We only have to look at London and New York to see what happens when public health spirals out of control.”
Read more: NSW says QR codes are the most effective system for COVID-19 contact tracing
The minister said checking in via a QR code is not too much to ask during a pandemic.
“It only takes a matter of seconds and keeps people safe and the economy open,” he added.

The QR code-based check in system is mandatory for hospitality businesses and hairdressers. If businesses do not use the Service NSW QR code check-in system, they face AU$5,000 fines, closure of the business for a week, and should the venue further fail to comply, potentially a month’s closure.
As of late December, 50,000 businesses were on board and 2 million people have used the Service NSW QR code feature.
Dominello on Tuesday added his department had received over 1.7 million pieces of feedback on the feature, using a thumbs up emoji to indicate a positive response sitting at around 94%.
Last week, the Service NSW app suffered a two-hour outage, rendering citizens unable to check in to businesses and venues across the state through the app.
A spokesperson for the Department of Customer Service told ZDNet the outage was unexpected.
“This afternoon Service NSW App experienced an unexpected outage preventing some customers from checking in with the COVID Safe Check-in tool. The outage lasted for 2 hours and is now resolved,” they said on Thursday.
As of Tuesday morning, NSW Health said there was five new locally acquired cases of COVID-19 in the 24 hours to 8pm Monday night.
11 cases were also recorded in returned travellers, bringing the total number of COVID-19 cases in NSW since the beginning of the pandemic to 4,845
RELATED COVERAGE More

Over 50 Australian MPs have joined a new parliamentary group that aims to hold technology giants accountable for the information they allow on their platforms.
The Parliamentary Friends of Making Social Media Safe group is explained as providing a non-partisan forum for MPs to meet and highlight the environment of social media and the risks associated.
The group will also consider how platforms can be held accountable for the material published on their sites, and what policy measures can be considered by governments to keep social media platforms safe.
One member of the group is Science Minister Karen Andrews, who called it an avenue for “starting the conversation”. Speaking on 3AW on Tuesday morning, Andrews said one of the first items on the group’s agenda is to look at what the issues are, and how best to prosecute that.
See also: Labor floats jail time as penalty for social media giants that breach Aussie law
Pointing to the permanent suspension of soon-to-be former United States President Donald Trump from Twitter, Andrews said there was a “whole range of questions” stemming from the ban, such as the consistency and fairness of various rules across social media sites.
“There have been many instances of comments that have been taken down from various platforms, but yet in some instances, these platforms are very quick to act when it seems as if the subject content is something that they don’t personally agree with,” she said. “That is unfair, it is inconsistent, and it lacks the transparency that we are looking for.”

The minister was asked if she believes there were double standards, given the amount of “disgusting” content still proliferating on social media sites, despite Trump’s ban.
“That is the absolute lack of transparency and the subjectivity that I am most concerned about. There needs to be fairness, it needs to be very clear that these rules are being applied in a consistent manner. And it’s pretty obvious that at the moment they’re not,” Andrews said in response.
Former Opposition Leader Bill Shorten, meanwhile, said for all its blessings, the internet also has an underbelly, likening it to a “sewer”.
“The internet has proven to be a magnet to draw together idiots and conspiracists who otherwise would never meet each other,” he said Tuesday morning.
“I mean, it may be the one favour Donald Trump’s done the world is getting himself banned on Twitter, because if Twitter can do it to him, then maybe some of the inflammatory comments that get said about our kids or about people in daily life, maybe we can just — you know, you’re free to speak, but you’ve got to face the consequences of it.”
Also a member of the group is Shadow Assistant Minister for Treasury Andrew Leigh, who echoed remarks made by ALP’s acting communications spokesperson Tim Watts, saying the social media companies have self-regulatory policies which are “pretty much” in accord with Australia’s democratic norms.
“You don’t incite violence, you don’t spread hate speech, you don’t spread dangerous medical misinformation,” he said.
“But it is appropriate that over time we also look at the way in which these platforms have chosen to make their decisions of banning particular people.”
Leigh said in Trump’s case, he unequivocally thinks Twitter made the right call.
“If you’re inciting violence, you shouldn’t be on one of these platforms,” he said.
The shadow minister pointed to remarks made by two Coalition MPs he said were spreading dangerous misinformation during a pandemic. One of the MPs, Michael McCormack, who is currently acting prime minister while Scott Morrison takes leave, was called on by Leigh to “stand up for sensible science”.
McCormack said he supported free speech and did not believe in the type of censorship demonstrated in the United States. The acting prime minister on Monday compared the 2020 Black Lives Matter protests to the riot on the Capitol, with the ABC quoting him as saying “any form of violence” should be condemned.  
McCormack on Tuesday also declared “all lives matter” during a press conference. He also said most of what his colleagues have said is true and that people on Twitter need to “toughen up”. 
The parliamentary group was stood up by Labor MP Sharon Clayton and Nationals MP Anne Webster.
Webster’s family was last year awarded an AU$875,000 defamation payout from a woman who used Facebook to make “disgraceful and inexplicable” posts about the Victorian MP.
RELATED COVERAGE More

Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.
Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware was actually the first one used.
Sunspot malware ran on SolarWinds’ build server
In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first breached SolarWinds’ internal network.
The Sunspot malware was installed on SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds’ top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.
Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
Timeline of the SolarWinds supply chain attack

These trojanized Orion clients eventually made their way one SolarWinds’ official update servers and were installed on the networks of the company’s many customers.
Once this happened, the Sunburst malware would activate inside internal networks of companies and government agencies, where it would collect data on its victims and then send the information back to the SolarWinds hackers (see this Symantec report about how data was sent back via DNS request).
Threat actors would then decide if a victim was important enough to compromise and would deploy the more powerful Teardrop backdoor trojan on these systems while, at the same time, instruct Sunburst to delete itself from networks it deemed insignificant or too high risk.
However, the revelation that a third malware strain was discovered in the SolarWinds attack is one of the three major updates that came to light today about this incident.
In a separate announcement published on its blog, SolarWinds also published a timeline of the hack. The Texas-based software provider said that before the Sunburst malware was deployed to customers between March and June 2020, hackers also executed a test run between September and November 2019.
“The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators’ ability to insert code into our builds,” SolarWinds CEO Sudhakar Ramakrishna said today, in an assessment also echoed by the CrowdStrike report.

Image: SolarWinds
Code overlap with Turla malware
On top of this, security firm Kaspersky also published its own findings earlier in the day in a separate report.
Kaspersky, which was not part of the formal investigation of the SolarWinds attack but still analyzed the malware, said that it looked into the Sunburst malware source code and found code overlaps between Sunburst and Kazuar, a strain of malware linked to the Turla group, Russia’s most sophisticated state-sponsored cyber-espionage outfit.
Kaspersky was very careful in its language today to point out that it found only “code overlaps” but not necessarily that it believes that the Turla group orchestrated the SolarWinds attack.
The security firm claimed this code overlap could be the result of the SolarWinds hackers using the same coding ideas, buying malware from the same coder, coders moving across different threat actors, or could simply be a false flag operation meant to lead security firms on the wrong path.

Through further analysis, it is possible that evidence enforcing one or several of these points might arise. To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.
— Costin Raiu (@craiu) January 11, 2021

But while security firms have stayed away from attirbution, last week, US government officials formally blamed the SolarWinds hack on Russia, describing the hackers as “likely Russian in origin.”
The US government’s statement did not pin the hack on a specific group. Some news outlets pinned the attack on a group known as APT29 (or Cozy Bear), but all the security firms and security researchers involved in the hack have pleaded for caution and have been very timid about formally attributing the hack to a specific group so early in the investigation.
Right now, the SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity), and StellarParticle (CrowdStrike), but this designation is expected to change once companies learn more.
Right now, one last mystery remains, and that is how did the SolarWinds hackers manage to breach the company’s network in the first place, and install the Sunspot malware. Was it an unpatched VPN, an email spear-phishing attack, a server that was left exposed online with a guessable password?

SolarWinds Updates More

The Reserve Bank of New Zealand — Te Pūtea Matua — on Monday said it was still responding “with urgency” to an illegal breach of one of its systems.
The breach was of a third-party file sharing service provided by California-based Accellion. The bank uses its FTA file transfer product to share information with external stakeholders.
While the system has been secured and taken offline, and the breach described as contained, the Reserve Bank said it would take some time to determine the impact, with an analysis of the potentially affected information underway.
The bank is still looking to confirm the nature and extent of information that has been potentially accessed. It said compromised data may include some commercially and personally sensitive information.
The bank said it is communicating with system users about alternative ways to securely share data.
“We are actively working with domestic and international cybersecurity experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” Governor Adrian Orr said.
“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.”

Orr said providing further details could adversely affect the investigation and the steps being taken to mitigate the breach.
“We recognise the public interest in this incident however we are not in a position to provide further details at this time,” he said.
The Reserve Bank disclosed the breach on Sunday.
Across the ditch in Australia, it was reported last week that private details of every Tasmanian who has called an ambulance since November last year were published online by a third party. The ABC said the list, appearing as Ambulance Tasmania’s paging system — which has since been taken offline — was still updating each time paramedics are dispatched.
The data included the addresses of patients, their condition, HIV status, age, and gender. 
Reports indicate a police investigation and an internal review by the Tasmanian Department of Health are underway.
MORE FROM NEW ZEALAND More

Image: Ubiquiti Networks
Networking equipment and IoT device vendor Ubiquiti Networks has sent out today notification emails to its customers informing them of a recent security breach.

“We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” Ubiquiti said in emails today.
The servers stored information pertaining to user profiles for account.ui.com, a web portal that Ubiquiti makes available to customers who bought one of its products.
The site is used to manage devices from a remote location and as a help and support portal.
According to Ubiquiti, the intruder accessed servers that stored data on UI.com users, such as names, email addresses, and salted and hashed passwords.
Home addresses and phone numbers may have also been exposed, but only if users decided to configure this information into the portal.
How many Ubiquiti users are impacted and how the data breach occurred remains a mystery.

It is currently unclear if the “unauthorized access” took place when a security researcher found the exposed data or was due to a malicious threat actor.
A Ubiquiti spokesperson did not immediately return a request for comment send before this article’s publication.
Despite the bad news to its customers, Ubiquiti said that it had not seen any unauthorized access to customer accounts as a result of this incident.
The company is now asking all users who receive the email to change their account passwords and turn on two-factor authentication.
While initially, some users looked at the emails as a phishing attempt, a Ubiquiti tech support staffer confirmed that they were authentic on the company’s forums.
A full copy of the email is available below, as shared today on social media.

Image: Dangal Son More

Intel Server GPU
Image: Intel
At the 2021 Consumer Electronics Show today, Intel announced it is adding ransomware detection capabilities to its new 11th Gen Core vPro processors through improvements to its Hardware Shield and Threat Detection Technology (TDT).

A partnership with Boston-based Cybereason was also announced, with the security firm expected to add support for these new features to its security software in the first half of 2021.
Both companies said that this would mark the first-ever case where “PC hardware plays a direct role” in detecting ransomware attacks.
How it will all work
Under the hood, all of this is possible via two Intel features, namely Hardware Shield and Intel Threat Detection Technology (TDT). Both are features part of of Intel vPro, a collection of enterprise-centered technologies that intel ships with some of its processors.
Hardware Shield, a technology that locks down the UEFI/BIOS and TDT, a technology that uses CPU telemetry to detect possibly malicious code.
Both of these technologies work on the CPU directly, many layers under software-based threats, such as malware, but also antivirus solutions. The idea behind Intel’s new features is to share some of its data with security software and allow it to spot malware that may be hiding in places where antivirus apps can’t reach.
“Intel TDT uses a combination of CPU telemetry and ML heuristics to detect attack-behavior,” Intel said in a press release today. “It detects ransomware and other threats that leave a footprint on Intel CPU performance monitoring unit (PMU).”

“The Intel PMU sits beneath applications, the OS, and virtualization layers on the system and delivers a more accurate representation of active threats, system-wide,” it added. “As threats are detected in real-time, Intel TDT sends a high-fidelity signal that can trigger remediation workflows in the security vendor’s code.”
According to Intel and Cybereason, this new technology should allow companies to detect ransomware attacks when ransomware strains try to avoid detection by hiding inside virtual machines, since Hardware Shield and TDT run many layers below it.

Image: Intel
Available with 11th Gen Core vPro processors
“Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats,” said Stephanie Hallford, Client Computing Group Vice President and General Manager of Business Client Platforms at Intel.
“Our new 11th Gen Core vPro mobile platform provides the industry’s first silicon enabled threat detection capability, delivering the much needed hardware based protection against these types of attacks,” the Intel exec added.
“Together with Cybereason’s multi-layered protection , businesses will have full-stack visibility from CPU telemetry to help prevent ransomware from evading traditional signature-based defenses.”
To use the new feature, systems administrators only have to use security software that supports it. No changes are required to CPUs because while most vPro features are optional, Intel has recently made Hardware Shield mandatory for all new CPUs starting with its 10th Gen release.
While Cybereason will be the first to support detecting ransomware using hardware indicators, other security vendors will most likely tap into it in the feature.
Today’s news comes after Intel has been investing heavily in security in recent years. In June 2020, Intel also announced it was adding its new Control-flow Enforcement Technology (CET) to CPUs, a feature it said could help protect systems against malware that uses Return Oriented Programming (ROP), Jump Oriented Programming (JOP), and Call Oriented Programming (COP) techniques to infect devices and hijack apps. More