Information Technology

Image: Getty Images/iStockphoto
Communications Minister Paul Fletcher said on Tuesday that Australian telcos have blocked over 55 million scam calls since the industry got a new scam call code in December. Under the code, telcos need to block not only calls originating in their networks, but also those transiting the network. Carriers are required to look for characteristics of scam calls, share information with other telcos and regulators, block numbers being used for scams including those from overseas, and take measures to combat number spoofing. “In 2020, Australians lost AU$48 million to scam calls,” Fletcher said. “The Morrison government is serious about tackling scams and it is pleasing to see that more than 55 million scam calls have been blocked as a result of the Reducing Scam Calls Code.” When the code was introduced, ACMA said telcos had blocked over 30 million scam calls in the year prior. Last month, Telstra said it was blocking approximately 6.5 million suspected scam calls a month, at times up to 500,000 a day, thanks to automating the former manual process that sat at around 1 million monthly scam calls. The system that Telstra built in-house forms the third leg of its Cleaner Pipes program. In May, the company kicked off with DNS filtering to fight against botnets, trojans, and other types of malware, and extended to blocking phishing text messages purporting to be from myGov or Centrelink before they hit the phones of customers.

“If you think you are receiving a scam call, our simple advice is: Hang up,” Telstra CEO Andy Penn advised customers. Elsewhere in the scam space, the ACCC said Australian businesses had reported losing more than AU$14 million due to payment redirection or business email compromise scams to Scamwatch, with losses in 2021 set to be five times higher. In a business email compromise scam, the attacker will trick the victim into transferring funds into their account, sometimes by impersonating a legitimate customer or supplier, pretending to be the boss demanding an urgent transfer of funds, or just straight up sending fake invoices. “Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors,” ACCC deputy chair Delia Rickard said. “We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams.” Rickard added that people should not rush and double-check that an email is legitimate. “Whenever there is a request to change payment details, always check with the organisation using stored contact details, rather than those in the requesting communication,” the deputy chair said. Related Coverage More

This unprecedented boom in attacks can be in part attributed to the COVID-19 pandemic.  
Getty Images/iStockphoto
More data records have been compromised in 2020 alone than in the past 15 years combined, in what is described as a mounting “data breach crisis” in the latest study from analysis firm Canalys. Over the past 12 months, 31 billion data records have been compromised, found Canalys. This is up 171% from the previous year, and constitutes well over half of the 55 billion data records that have been compromised in total since 2005. Cases of ransomware – a specific type of attack that encrypts servers and data to block access to a computer system until a sum of money is paid – have been on the rise, with the number of reported incidents up 60% compared to 2019. 

“Prioritize cybersecurity and invest in broadening protection, detection and response measures or face disaster,” said Canalys chief analyst Matthew Ball.According to Canalys, this unprecedented boom in attacks can be in part attributed to the COVID-19 pandemic, which forced organizations across the world to digitize at pace, without putting enough thought into the new security requirements that come with doing business online. Retailers had to switch to online selling, while the hospitality sector turned to new platforms for home delivery, and manufacturers digitized supply chains to improve the accuracy of production lines. Meanwhile, organizations across the globe switched entire workforces to WFH almost overnight: the number of employees working remotely, in fact, has jumped from 31 million before the pandemic, to just under 500 million. To keep businesses afloat, money was invested in digital technologies and the cloud, to move processes online and adapt to new ways of working. Cybersecurity concerns, however, were all-too-often put on hold, noted Canalys.  

“Organizations had to implement business continuity measures quickly in response to the COVID-19 pandemic or risk going out of business,” reads the report. “These measures were often at the expense of cybersecurity and bypassed longstanding corporate policies, leaving many exposed to exploitation by highly organized and sophisticated threat actors, as well as other more opportunistic hackers. “For many, cybersecurity was an afterthought, as they had to focus primarily on staying in business.” More data records have been compromised in 2020 alone than in the past 15 years combined.  
Image: Canalys
The fast-paced digitization of business, in effect, has opened up many new attack vectors for threat actors to exploit. With employees now accessing company information from many different locations, and more data being stored and processed outside of traditional, office-based IT environments, new security measures are needed.  Yet businesses do not seem to have taken this seriously enough. While investment in cybersecurity did grow by up to 10% compared to the previous year, other priorities took precedence: for example, cloud services grew 33%, while cloud software services grew 20% during the same period. Investment in cybersecurity also compares poorly to the growth of collaboration tools, remote desktops, notebook PCs and even home printing. In other words, the pace of digital transformation was not matched by sufficient safeguarding of networks against cyber threats. A similar observation was recently made by the head of the UK’s national cyber security centre (NCSC) Lindy Cameron, who reiterated that cybersecurity should be viewed with the same importance to CEOs as finance, legal, or any other important department of the company. The fragile digital infrastructure that often underpins healthcare networks is a prime target for attackers.  
Image: Canalys
But although the global health crisis largely contributed to the rise of such attacks, Canalys notes that the trend is not limited to the pandemic. COVID-19 only accelerated a worrying pattern that was already emerging in previous years: in 2019, for instance, the number of compromised data records had already increased by 200% compared to the previous year. Datasets are getting larger, and organizations are collecting increasingly sensitive information about their customers, either as part of their digital transformation process or to personalize products and services. At the same time, threat actors are becoming ever-more successful, for example using automated bots to drive sophisticated attacks. Canalys, as a result, called for business executives to change their mindset from “if” a breach will affect their company to “when”. “Prioritize cybersecurity and invest in broadening protection, detection and response measures or face disaster,” concludes the report. “This is the stark reality for organization in 2021. For many, it is too late.”  More

The official PHP Git server has been compromised in a potential attempt to plant malware in the code base of the PHP project. 

On Sunday, PHP programming language developer and maintainer Nikita Popov said that two malicious commits were added to the php-src repository in both his name and that of PHP creator Rasmus Lerdorf. The malicious commits, which appeared to be signed off under the names of Popov and Lerdorf (1,2), were masked as simple typographical errors that needed to be resolved.  However, instead of escaping detection by appearing so benign, contributors that took a closer look at the “Fix typo” commits noted malicious code that triggered arbitrary code within the useragent HTTP header if a string began with content related to Zerodium. As noted by Bleeping Computer, the code appears to be designed to implant a backdoor and create a scenario in which remote code execution (RCE) may be possible.  Popov said the development team is not sure exactly how the attack took place, but clues indicate that the official git.php.net server was likely compromised, rather than individual Git accounts.  A comment, “REMOVETHIS: sold to zerodium, mid 2017,” was included in the script. There is no indication, however, that the exploit seller has any involvement in the cyberattack. 

Zerodium’s chief executive Chaouki Bekrar labeled the culprit as a “troll,” commenting that “likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.” The commits were detected and reverted before they made it downstream or impacted users. An investigation into the security incident is now underway and the team is scouring the repository for any other signs of malicious activity. In the meantime, however, the development team has decided now is the right time to move permanently to GitHub.  “We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” Popov said. “Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.” Developers with previous write access to the project’s repositories will now need to join the PHP group on GitHub. The security incident can be described as a supply-chain attack, in which threat actors will target an open source project, library, or another component that is relied upon by a large user base. By compromising one core target, it may then be possible for malicious code to trickle down to a wide-reaching number of systems.  A recent example is the SolarWinds fiasco, in which the vendor was breached and a malicious update for its Orion software was planted. Once this malware was deployed, tens of thousands of organizations were compromised including Microsoft, FireEye, and Mimecast.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Department of Justice (DoJ) has charged 474 individuals for participating in COVID-19 scams and fraudulent activity. 

To some cybercriminals, the coronavirus pandemic is nothing more than an opportunity for profit. We’ve seen everything from fake COVID ‘treatments’ and protective equipment suppliers touting their goods online to phishing email and text vaccine appointment campaigns, and now, dubious vendors are going so far as to try and sell counterfeit vaccines and proof documents in the underground. Law enforcement worldwide has tried to clamp down on such activities and organizations including the World Health Organization (WHO) are constantly releasing advice on the latest scams. In an update published last week, the DoJ said that 474 defendants to date have been publicly charged “with criminal offenses based on fraud schemes connected to the COVID-19 pandemic.” The US agency says that these alleged criminals are responsible for trying to fraudulently obtain at least $569 million from consumers and the US government itself across 56 federal districts.  Investigations conducted by law enforcement have revealed a variety of scams including operations targeting the US Paycheck Protection Program (PPP), Economic Injury Disaster Loan (EIDL) program, and Unemployment Insurance (UI) scheme, all designed to assist businesses and citizens during the pandemic.  In total, 120 individuals have been charged with PPE fraud, including:Business owners inflating payroll expenses to secure large loansShell company creators with no actual payroll applying for financial helpOrganized criminal gangs submitting carbon-copy applications for loans under the names of different companies

One of the department’s latest COVID-19-related convictions centered around Dinesh Sah, a resident of Coppell, Texas. The 55-year-old pleaded guilty last week for conducting fraud to obtain $24.8 million in PPP loans and laundering the payments.  When it comes to EIDL, designed to provide SMB loans, criminals have also applied for assistance on behalf of non-existent, new, and shell companies.  UI fraud is rife, too, with at least 140 individuals suspected of committing these activities. The DoJ says suspects include “identity thieves to prison inmates” who have conducted identity theft to apply for unemployment benefits. In one case, a defendant from Virginia pleaded guilty to obtaining close to half a million dollars on behalf of individuals ineligible for UI, including those currently incarcerated.  “We will not allow American citizens or the critical benefits programs that have been created to assist them to be preyed upon by those seeking to take advantage of this national emergency,” said Acting Assistant Attorney General Brian Boynton of the DoJ’s Civil Division. “We are proud to work with our law enforcement partners to hold wrongdoers accountable and to safeguard taxpayer funds.”  In other coronavirus news, Facebook has frozen a page belonging to Venezuelan President Nicolás Maduro for repeatedly breaking the social media giant’s rules on COVID-19 misinformation, including the promotion of fake herbal cures for the disease. As a result, the Venezuelan official will be unable to post for 30 days. False coronavirus claims were previously deleted and hidden by Facebook and Twitter after being published by former US President Donald Trump. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new, “sophisticated” Android spyware app disguising itself as a software update has been discovered by researchers. 
Zimperium
According to Zimperium zLabs, the malware masquerades as a System Update application while quietly exfiltrating user and handset data. It should be noted that the sample app detected by the team was found on a third-party repository and not the official Google Play Store. Once installed, the victim’s device is registered with a Firebase command-and-control (C2) server used to issue commands while a separate, dedicated C2 is used to manage data theft.  The team says that data exfiltration is triggered once a condition has been met, including the addition of a new mobile contact, a new app is installed, or on receipt of an SMS message.  The malware is a Remote Access Trojan (RAT) and able to steal GPS data and SMS messages, contact lists, call logs, harvest images and video files, covertly record microphone-based audio, hijack a mobile device’s camera to take photos, review browser bookmarks and histories, eavesdrop on phone calls, and steal operational information on a handset including storage statistics and lists of installed applications.  Instant messenger content is also at risk as the RAT abuses Accessibility Services to access these apps, including WhatsApp. 

If the victim device has been rooted, database records can also be taken. The app can also search specifically for file types such as .pdf, .doc, .docx, .xls, and .xlsx. 

The RAT will also attempt to steal files from external storage. However, considering some content — such as videos — can be too large to steal without impacting connectivity, thumbnails alone are exfiltrated. “When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” the researchers note.  Limiting the use of mobile connectivity is a way to prevent users from suspecting their device has been compromised. In addition, as soon as information has been packaged up and sent to the C2, archive files are deleted in an effort to stay undetected.  To make sure only relevant and recent data is taken, the RAT’s operators have imposed time limits on content — such as the newest GPS records, which are stolen time and time again if stolen data records contain values that are over five minutes in the past. Photos, too, are set to 40 minutes timers.  Zimperium describes the malware as part of a “sophisticated spyware campaign with complex capabilities.” Earlier this month, Google pulled a number of Android apps from the Play Store that contained a dropper for banking Trojans. The utility applications, including a virtual private network (VPN) service, recorder, and barcode scanner, were used to install mRAT and AlienBot. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The KrebsOnSecurity name has been invoked in a string of cyberattacks linked to critical Microsoft Exchange Server vulnerabilities. 

Exchange attacks

Security expert Brian Krebs from KrebsOnSecurity is no stranger to figures in the criminal space who appear to delight in everything from turning him into a meme, launching denial-of-service (DoS) attacks against his website, and SWATing — hoax calls made to law enforcement that not only waste police time but can also be dangerous. Now, a domain similar to the legitimate KrebsOnSecurity security resource has been connected to threat actors exploiting a set of critical bugs in Microsoft Exchange Server. According to a new report released by the Shadowserver Foundation, 21,248 Microsoft Exchange servers have recently been compromised that are communicating with brian[.]krebsonsecurity[.]top. Krebs says that the compromised systems appear to have been hijacked and Babydraco backdoors are facilitating communication to the malicious domain. Web shells, used for remote access and control, are being deployed to a previously-undetected address in each case, /owa/auth/babydraco.aspx.  In addition, a malicious file named “krebsonsecurity.exe” is fetched via PowerShell to facilitate data transfers between the victim server and domain.  “The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity — and with harassing this author,” Krebs commented. 

Microsoft released emergency patches to tackle four zero-day vulnerabilities in Exchange Server 2013, 2016, and 2019 on March 2. The security flaws can be exploited to launch remote code execution attacks and server hijacking.  A selection of mitigation tools have also been released for IT administrators who cannot immediately patch their deployments, and at last count, the Redmond giant says that roughly 92% of internet-facing Exchange servers have been either patched or mitigated.  However, just because a fix has been applied does not mean that a server has not already been targeted by threat actors and so security checks and audits also have to be conducted.  Last week, Microsoft warned of subsequent attacks following widespread Exchange server hijacking, including reconnaissance, cryptocurrency mining operations, and ransomware deployment.  “Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions,” the company said.  The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert warning organizations of webshell deployment post-exploit in Exchange servers.  Microsoft has provided Indicators of Compromise (IoC) which can be found here.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Optus
Optus has announced its WiFi Secure product, which makes use of active monitoring by McAfee software sitting on home routers in an attempt to block the spread of malware and other malicious threats. The telco said as the number of internet-connected devices in the home continues to rise, there has been a growing need to “automatically protect” those potential threat vectors. “It’s built into the Optus compatible modems and, helps to make sure all internet traffic passing through the modem, to any device on that network, is safe — even those without a display screen,” Optus said. Optus customers on a family plan will get the blocking at no additional cost, otherwise WiFi Secure will cost AU$5 a month. The software on the router is connected to the McAfee Global Threat Intelligence Cloud Network, and is claimed to not receive any personally identifiable information. ZDNet has asked if the router fails gracefully if the McAfee cloud is not reachable. “Based on activity from millions of sensors worldwide and a dedicated research team, this always-on, cloud-based threat intelligence service collects and publishes online threats that are uploaded to your network every minute to provide you and your family the latest protection,” the telco said. Taking another route, Australian incumbent telco Telstra has been using upstream DNS filtering, phishing text, and scam call blocks to fight malicious threats.

Dubbed Cleaner Pipes, the DNS side of the initiative focuses on blocking command and control communications of botnets, the downloading of remote access trojans, as well as other forms of malware. Related Coverage More

Australian Prime Minister Scott Morrison has reshuffled his ministry on Monday, with ministers Christian Porter and Linda Reynolds that are currently away on leave remaining in the ministry. After being the first Minister for Home Affairs, Peter Dutton has been shifted to Defence and become the government’s leader in the House of Representatives. Taking Dutton’s place is Karen Andrews, who leaves the role of Minister for Industry, Science and Technology. With Porter currently on leave and undertaking a defamation action against the ABC over historical rape allegations, the Western Australian MP has handed many of his duties over to Senator Michaelia Cash. That arrangement was formalised on Monday, as Cash becomes Attorney-General, with Porter filling the role vacated by Andrews. Also on leave is Senator Reynolds, however, Morrison has seen it fit to shift her from Defence to Minister for Government Services and NDIS. Now former Minister for Government Services Stuart Robert will now be Minister for Employment, Workforce, Skills, Small and Family Business. Asked why Stuart Robert should be promoted after overseeing robodebt, getting taxpayers to pay over AU$2,000 a month for his home internet, and falsely blaming a DDoS attack for government IT issues, Morrison pointed to the government’s ability to get money into the hands of citizens. “The reason that millions were able to get access and support through both particularly for the JobSeeker payment over the course of the pandemic was a direct result of that minister’s ability to scale up and put in place one of the most significant responses we’ve ever seen from a social security agency in this country in our history,” Morrison said.

“He’s been appointed to this job because he’s done an outstanding job in the one that he’s been doing.” See also: The people of Australia are a DDoS machine that the government cannot handle The prime minister also lashed out at social media as being a “key degrader” of respect in Australia. “It can be a very dangerous tool in disrespectful hands, and we’ve seen that with the trolling and abuse and harassment particularly of women,” he said. “Our government has stood up to the big tech companies on this like no other government in the world, and we have taken on the fights with them that no others would.” The government is trying to protect its razor-thin majority after a Queensland MP said he would stand down at the next election following allegations he had been trolling women online and taking upskirt photos. “He is committed to undertake the behavioural change he needs to undertake, and that’s what he needs to do, and he needs to come back with a completely different attitude and a completely different behaviour,” the prime minister said. “He was elected to this place by the people in his electorate.” Over the weekend, TV network Channel Nine was hit by a cyber attack, reportedly one involving ransomware, which prevented it broadcasting some live shows. The network said the attack had hit its email and editing systems. Back in Canberra, the email systems of Parliament, provided by the Department of Parliamentary Services, were reportedly down. The attack was said to be “unsophisticated” and “clumsy”. Foreign Minister and acting Defence Minister Marise Payne said the events were a “salutary reminder” for businesses to implement the Essential Eight cyber controls.Related Coverage More