Information Technology

The US National Security Agency describes two techniques abused in recent attacks for escalating attacks from local networks to cloud infrastructure. More

After the 60-year reign of computer passwords, Microsoft reckons the world is almost ready to move on. More

Image: Asha Barbaschow/ZDNet
The NSW Auditor-General Margaret Crawford has released her office’s report into how Service NSW handles personal and business information, following the agency being breached earlier this year.
In May, the agency fessed up to the phishing attack, which led to 47 staff email accounts being compromised. The breach was said to have impacted 186,000 customers and exposed up to 738GB of customer information contained within 3.8 million documents.
The Audit Office said in its report that the breach was actually a pair of phishing attacks across late March and early April — the spoof email mimicked an Office 365 warning — that led to a fake Office 365 log-in page from where credentials were harvested. Even though Service NSW had previously highlighted it did not have multi-factor authentication on its systems in 2018 and said it would be done by June 2019, it was not implemented until the breach occurred.
Even though Service NSW played down the impact of the breach in terms of customers affected this week, the Audit Office said it has not seen the data behind that statement and, at any rate, it was a serious breach and showed Service NSW needed to improve.
The agency has previously said the breach would cost around AU$30 million, but that is before remediation or compensation is taken into account, the Audit Office said.
The report presented a damning view of an agency that had grown fast, was not enforcing its own policies, lacked proper digitised and secure communication with other agencies and departments, and was using its Salesforce CRM for tasks it was not designed for.
“Service NSW is not effectively handling personal customer and business information to ensure its privacy,” the report opened with.

“It continues to use business processes that pose a risk to the privacy of personal information.”
One of the least compliant methods used by Service NSW was scanning and emailing personal information to some of the agencies it had client arrangements with — one of which is Births, Deaths, and Marriages — and not having automated controls.
Instead, the agency relied on manual policies that required its workers to “double delete” emails with scanned attachments from sent and deleted folders and delete scanned copies from shared drives.
“Operational risks to customer’s personal information are not effectively mitigated and business processes that contributed to the recent data breach are continuing,” the report said.
“While processes are in place to identify and record risks, the controls in place to mitigate risk need improvement.”
The report added that Service NSW is far too reliant on employee training and does not have any sort of technical barrier to what workers do — not even proper logs. 
“Once trained in how to conduct transactions on client agency systems, staff are provided with access logins. There are no further technical restrictions on a staff member accessing customer information without authority.”
“There is also no way for Service NSW to routinely monitor access. We were told of examples of unauthorised access to customer information, though these were only detected by methods such as another team member reporting suspicious behaviour or following a complaint from a customer who suspected that their privacy had been breached.”
Due to how Service NSW was created, and that it works with data from 36 other state agencies, the agency has arrangements with its brethren, which are not watertight.
“The lack of clarity in privacy responsibilities in agreements between Service NSW and its client agencies poses two risks,” the report said.
“First, that necessary obligations will fall ‘between the cracks’ of the two agencies, with each assuming the other responsible for meeting an obligation.
“Second, that it creates uncertainty for individuals about which agency is responsible for their personal information and which agency is accountable should a breach occur — even knowing to which agency the individual should complain.”
Since it was created in 2013, Service NSW has grown from three client agencies to 36, increased staff numbers from 24 to just shy of 3,900, opened 109 service centres as well as four mobile centres, and increased the number of transactions it handles by 150%.
This growth was called out in its use of the Salesforce-managed CRM solution for information it was not intended to store.
“The CRM was primarily intended to be used for recording customer service interactions in relation to transactions that Service NSW performs on behalf of other agencies, without storing the personal information collected through those transactions. Transaction information is generally stored on client agency systems,” it said.
“Since its inception, Service NSW’s use of its CRM system has extended to storing transaction data, particularly for services for which it has responsibility, such as the Seniors Card. It also holds basic account details for over four million MyServiceNSW account holders, including at a minimum, name, email address, and phone number, and optional address details.”
The Audit Office found the Salesforce instance held de-identified data such as health, disability, and Indigenous status on children who received Active Kids vouchers, and “program information for the Affordable IVF program”.
“It also retains transaction information about firearms licence applications for a short period of around two or three days,” the Audit Office said.
“Some staff interviewed for this audit were concerned that this evolution in the way the CRM system is used to store transaction information, along with the greater volume of data that is stored, has changed the risk profile from that which applied when the system was designed.”
Ostensibly, the agency has said it has zero-risk appetite, but the Audit Office found holes in its attempt to reach that goal.
For instance, executives are not completing the yearly privacy management assessments, awareness of its privacy management plan is low among staff and it has not been submitted to the Privacy Commissioner as required, and even though it was informed that agency executives discuss enterprise risk, the Audit Office could find no mention of it in the minutes provided.
“This creates uncertainty regarding what is discussed at these meetings, whether any formal decisions are made, or actions agreed, at these meetings,” it said.
Even though the Audit Office said Service NSW is capable of producing “good practice” privacy impact assessments, it only does so on major new projects and has not completed them on existing systems. Service NSW also does not publish the assessments, even if the assessment itself recommended to do so.
In its set of recommendations, the Audit Office said Service NSW needed to urgently implement a way to securely pass personal information between itself and client agencies, as well as review the need to store that information at all, and, if needed, create a more secure way to store and regularly delete it.
The report also recommended by March 2021 that Service NSW makes sure new agreements that it enters with client agencies cover how private information is stored and secured, reviews its privacy management plan with its overseeing Department of Customer Service, as well as works with the department on how it manages privacy risks.
By June, the report said Service NSW should have addressed the deficiencies found in its Salesforce instance, policies, and processes covering user activity on the system, partitioning, and role-based access restrictions to personal information. The agency should have also both allowed customers to use multi-factor authentication on their MyServiceNSW accounts and view a transaction history relating to their personal information to identify mishandling.
The report recommended by December next year that Service NSW modify existing agreements with client agencies to cover how private information is stored and secured, carry out a “risk assessment of all processes, systems and transactions that involve the handling of personal information”, and complete a privacy impact assessment on unassessed high-risk systems, or systems with major changes since a prior assessment was made.
Minister for Customer Service Victor Dominello welcomed the “robust” findings of the report.
“My agency has committed to implementing all of the Auditor General’s recommendations and has already implemented a number of critical security measures such as multi-factor authentication on staff email accounts,” he said.
“Legacy systems — like those targeted in this attack which contained photocopied paper attachments — must be systematically removed and replaced with secure end-to-end digital systems.
“I sincerely apologise to those affected.”
Related Coverage More

Image via Mohammad Rezaie
Microsoft said it identified more than 40 of its customers that installed trojanized versions of the SolarWinds Orion platform and where hackers escalated intrusions with additional, second-stage payloads.
The OS maker said it was able to discover these intrusions using data collected by Microsoft Defender antivirus product, a free antivirus product built into all Windows installations.
Microsoft President Brad Smith said his company is now in the process of notifying all the impacted organizations, 80% of which are located in the United States, with the rest being spread across seven other countries —namely Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE.
While the current list of known victims of the SolarWinds hack mostly includes US government agencies, Smith said the government sector is only a small portion of the victim list, with 44% being IT companies, such as software firms and equipment providers.

Image: Microsoft
The Microsoft President also said the attack is ongoing, with the hackers trying to compromise new companies still, despite the incident being public and actively investigated.
“It’s certain that the number and location of victims will keep growing,” Smith said.
The latest victim on this list is Microsoft itself, which, hours before Smith’s analysis, admitted to having installed trojanized version of the SolarWinds app inside its own infrastructure.

Reuters reported that hackers accessed Microsoft’s internal network, but Microsoft denied that they were able to reach production systems and impact its business customers and end-users.
SolarWinds hack summary and fallout
Five days later, the breadth of the SolarWinds hack continues to grow.
This entire incident began last week when security firm FireEye said that a state-sponsored hacking group accessed its internal network, stole pen-testing tools and tried to access documents on its government contracts.
While investigating the breach, FireEye tracked down the intrusion to a malware-laced version of SolarWinds Orion, a network monitoring tool used inside large enterprise networks.
Notified by FireEye, SolarWinds admitted on Sunday to getting hacked, disclosing that several Orion app updates released between March and June contained a backdoor trojan.

SolarWinds Coverage

A day later, SolarWinds admitted in SEC documents that around 18,000 customers had installed the trojanized updates, triggering a massive search inside enterprise networks, with IT personnel looking to see if they had installed the malware-laced Orion app version and if second-stage malware payloads were used to escalate attacks.
This proved a cumbersome and difficult task, as the malware, named SUNBURST, or Solorigate, contained a decoupled design between the first and second-stage payloads that made it tricky to determine on what and how many systems the hackers escalated their access.
Nonetheless, on Wednesday, Microsoft took steps to protect users and seized the web domain that the first-stage SUNBURST malware was used to report to attackers. Together with GoDaddy and FireEye, Microsoft turned the domain into a kill switch in order to prevent the SUNBURST malware from pinging back to its creators and downloading second-stage payloads.
Nonetheless, companies that had already been infected before this kill switch was set up now need to be discovered.
According to Smith, this number is currently at around 40, but the number will most likely grow as investigators learn more about these second-stage payloads, some of which have been identified by Symantec under the name of Teardrop.
Below is a map showing the current distribution of systems infected with the first-stage SUNBURST malware, per Microsoft Defender telemetry.

Image: Microsoft
Smith, which has often called for governments to stop attacking the private sector as part of their cyber-espionage operation, did not attribute the attack to any particular country, but it did criticize the attackers.
“This is not ‘espionage as usual,’ even in the digital age,” Smith said. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”
“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Smith called for stronger international rules for dealing with the countries that carry out such reckless attacks.
Reporting from the Washington Post claimed that Russia’s APT29 hacking group is behind the SolarWinds hack, but no government or security firm has backed up the paper’s claim. APT29 has been previously linked by US and Estonian intelligence agencies to the Russian Foreign Intelligence Service (SVR). More

A report developed by the Australian Strategic Policy Institute (ASPI) has highlighted there are opportunities for reforming the Australian government’s data centre procurement arrangement, after uncovering that of the 87 current data centre facilities contracts with Australian Government agencies, 54% were with one data centre provider, equivalent to a combined total value of AU$779 million.
In its Devolved data centre decisions report [PDF], the ASPI said relying on a high concentration of data centre providers could result in an increase in data risk, reduce market flexibility, limit barriers to exit, and reduce innovation.
While the paper did not identify the dominant provider, the entity reports on procurement contracts for the 2019-20 financial year published on Austender suggested the dominate provider was Canberra Data Centre.  
The paper also highlighted that individual agencies have been driving many procurement decisions because a whole-of-government approach to data security is lacking, thereby creating “unnecessary vulnerability for government data” and “fragmentation”.
“Despite the intent of the Digital Transformation Agency (DTA) Data Centre Facilities Supplies Panel, current panel arrangements place a heavy onus on individual departments and agencies to identify and mitigate data centre risks in the absence of whole-of-government oversight,” it said.
“This limits the opportunity to respond in a coordinated manner to wider interests of government, including concerns relating to supply-chain and concentrated data holdings.”
The DTA panel was established as part of the Australian government’s Data Centre Strategy 2010-25, following the Greshon review into government IT that recommended for the government to “develop a whole-of-government approach for future data centre requirements over the next 10 to 15 years in order to avoid a series of ad hoc investments which will, in total, cost significantly more than a coordinated approach”.  

Must read: The Australian government and the loose definition of IT projects ‘working well’    
The ASPI added the current panel arrangement of transferring whole-of-government risk to agencies could result in a “blind and dangerous outcome.”.
“The focus on individual agency risk means that agencies will choose convenient options regardless of any compound risk that may be occurring across government,” it said.
Further, the ASPI pointed out that while DTA’s role is to provide policies, standards, and guidance, it “lacks resources and the authority to drive whole-of-government ICT outcomes”.
The ASPI suggested the federal government needed to mitigate risks that are being caused by the aggregation of data centres and establish a strategy to manage government data that goes beyond the existing agency-by-agency approach.
“An authority set up to manage this would have objectives relating to data security and management of overall data risks as well as promotion of market flexibility and efficiency,” the paper said. 
Last month, the federal government refreshed its digital transformation strategy, vowing that it would be “moving from siloed capabilities to a landscape of connected platforms and services”.
“The vision is to enable better design and investment for connected government services and capabilities for Australia through initiatives such as sourcing reforms and a whole-of-government architecture,” the paper said.
“This will support the identification of re-use opportunities and encourage the adoption of common platforms, implementation approaches, standards and integrated, cross-agency services providing a strong foundation for transformation.” 
HERE’S MORE More

The state-sponsored hackers who breached US software provider SolarWinds earlier this year pivoted to Microsoft’s internal network, and then used Microsoft’s own products to further the attacks against other companies, Reuters reported today citing sources familiar with the investigation.

SolarWinds Coverage

The news comes after the US Cybersecurity and Infrastructure Agency (CISA) published an alert earlier today about the SolarWinds supply chain attack and its impact on government agencies, critical infrastructure entities, and private sector organizations.
CISA said they had “evidence of additional initial access vectors, other than the SolarWinds Orion platform.”
Two Reuters reports on the alleged Microsoft hack did not say what Microsoft products the hackers abused after breaching Microsoft.
In a statement, Microsoft admitted to finding trojanized SolarWinds Orion apps in its environment, but not to hackers pivoting to production systems and then using those systems against its customers. The full, unedited statement is available below:

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

Five new SolarWinds hack victims came to light today
Microsoft now joins a list of high-profile entities that have been hacked via a backdoored update for the SolarWinds Orion network monitoring application.
The vast majority of these victims are US government agencies, such as:
The US Treasury Department
The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
The Department of Health’s National Institutes of Health (NIH)
The Cybersecurity and Infrastructure Agency (CISA)
The Department of Homeland Security (DHS)
The US Department of State
The National Nuclear Security Administration (NNSA) (also disclosed today)
The US Department of Energy (DOE) (also disclosed today)
Three US states (also disclosed today)
City of Austin (also disclosed today)

The only private company which acknowledged getting hacked via the malware-laced SolarWinds platform is cybersecurity firm FireEye.
Both FireEye and Microsoft were the first security firms to confirm the SolarWinds hack on Sunday, both providing extensive reports of how the breach happened.
Both companies were also involved in an effort to sinkhole the domain used to command and control the malware used in the SolarWinds hack.
Article updated one hour after publication with Microsoft’s statement. More

Ad-blocker company AdGuard has deployed on Wednesday the world’s first-ever DNS-over-QUIC (DoQ) resolver into a production environment as part of the company’s Android and iOS applications.
AdGuard’s DoQ resolver will work by resolving its users’ DNS queries (converting website URLs into IP addresses) using the new QUIC data transfer protocol.
DoQ replaces UDP with QUIC inside DNS’ underbelly
Today, by default, DNS queries are resolved via the standard UDP protocol.
The problem is that UDP traffic is not encrypted and is available in clear text to any network observer, making it easy for ISPs to track even encrypted HTTPS traffic by looking at the DNS queries proceeding those connections.
This weakness has been known for a long time and is what led to the creation and current proliferation of DNS alternative protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT).
However, both DoH and DoT have their own drawbacks. DoH merely hides DNS inside HTTPS, while DoT adds TLS support to DNS, a cumbersome process for both DNS servers and app makers.
DoQ is currently viewed as the future of DNS encryption because it doesn’t bother with playing tricks with adjacent technologies in the “application layer” of the internet protocol suite.

Instead, it replaces the old UDP with the newer QUIC, a layer below DNS, as its underlying technology, effectively giving DNS an upgrade to modern technology.

Image via Wikipedia
What is QUIC
QUIC is a new “data transport” protocol that started as a project at Google to develop an alternative to the aging and slower TCP protocol, which currently underpins most internet traffic today, together with UDP.
Google’s first attempt to develop a TCP alternative was the SPDY protocol. SPDY was considered a success at the time and was eventually broadly adopted as the “data transport” layer for the HTTP/2 web protocol.
QUIC is an evolution of SPDY that comes with more speed, better packet transfer reliability, but also with built-in support for (TLS) encryption. Like SPDY, QUIC’s implementation inside HTTP and HTTPS, known as HTTP-over-QUIC was formally adopted to become the upcoming HTTP/3 protocol.

Image: Google
DoQ is a similar effort to replace UDP with QUIC inside DNS’s underbelly and make DNS faster and more secure than it is today.
The protocol is currently only a working draft at the Internet Engineering Task Force (IETF), but AdGuard says there is no reason to wait to start experimenting and providing this better and more private version of the DNS protocol to its users.
Because DoQ’s encryption support is implemented in QUIC rather than HTTP, DoQ is currently considered more private than DoH, as it doesn’t generate artifacts specific to HTTP/HTTPS connections, that could be used for tracking, AdGuard argued.
The only downside specific to DoQ is the same downside specific to classic DNS, DoH, and DoT resolvers — namely that the server owner knows who is performing the queries.
Apple, Cloudflare, and Fastly are trying to fix this issue via the Oblivious DoH standard, by adding a proxy between the user and the DoH resolver.
“Something like ‘Oblivious DoQ’ may be implemented in the future when DoQ is finally out of the draft stage,” Andrey Meshkov, AdGuard CEO, told ZDNet yesterday in an email.
AdGuard Android and iOs users can test the new DoQ protocol in their apps starting this week. Instructions on how to enable DoQ inside the apps are available in AdGuard’s blog post here. More

A Remote Access Trojan (RAT) on sale in underground forums has evolved to abuse Tor when maintaining persistence on infected machines. 

On Thursday, Sophos Labs’ Sivagnanam Gn and Sean Gallagher revealed ongoing research into the malware, which has been in the wild since 2019. 
Dubbed SystemBC, the RAT has evolved from acting as a virtual private network (VPN) through a SOCKS5 proxy into a backdoor that leverages the Tor network to establish persistence and make tracing connected command-and-control (C2) servers a more difficult task. 
According to the researchers, the Windows-based SystemBC malware is capable of executing Windows commands, script deployment, implementing malicious DLLs, remote administration and monitoring, and establishing backdoors for operators to connect the malware to a C2 in order to receive commands. 
Sophos Labs says that over the course of the year, SystemBC has evolved and features have been enhanced, leading to increased popularity with buyers including ransomware operators. 
See also: Your email threads are now being hijacked by the QBot Trojan
Once deployed, the RAT will copy and schedule itself as a service but will skip this step if Emsisoft antivirus software is detected. A connection to a C2 is then established through a beacon connection to a remote server based at one of two hard-coded domains — with addresses varying in samples — as well as a lightweight Tor client. 

“The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network,” the researchers note. “The code of mini-Tor isn’t duplicated in SystemBC […] but the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions.”
Over the past few months, SystemBC has been tracked in “hundreds” of deployments, including recent Ryuk and Egregor ransomware attacks. The team says the backdoor was deployed after the cyberattackers obtained access to server credentials in these attacks, with SystemBC acting as a valuable persistence bolt-on to the main malware strains used. 

SystemBC was deployed as an off-the-shelf tool, likely obtained through malware-as-a-service deals made in underground forums, and in some cases, was present on infected machines for days — or weeks — at a time.
“SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials,” Sophos Labs added. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More