Information Technology

Outsourcing key banking data and services to a small number of cloud service providers means that those providers have the power to dictate their own terms.  
Getty Images/iStockphoto
Banks’ growing reliance on cloud computing could pose a risk to financial stability and will require stricter oversight, according to top executives from the UK’s central bank. In a report focusing on financial stability in the UK over the past few months, the Bank of England drew attention to the increasing adoption of public cloud services, and voiced concerns about those services being provided by only a handful of huge companies that dominate the market. Outsourcing key banking data and services to a small number of cloud service providers (CSPs), said the Bank of England, means that those providers have the power to dictate their own terms, potentially to the expense of the stability of the financial system. 

For example, cloud providers might fail to open up the inner workings of their systems to third-party scrutiny, meaning that it is impossible for customers to know if they are ensuring the level of resilience that is necessary to carry out banking operations. “As regulators and people concerned with financial stability, as (CSPs) become more integral to the system, we have to get more assurance that they are meeting the level of resilience that we need,” Andrew Bailey, the Bank of England governor, told reporters in a press conference.  In the past years, financial institutions have accelerated their plans to scale up their reliance on CSPs. From file sharing and collaboration to fraud detection, through business management and communications: banks have used cloud outsourcing both to run software and access additional processing capacity, and to support IT infrastructure. Until recently, cloud services were used mostly to run applications at the periphery of banking operations, such as HR systems with no direct impact on financial services. According to the Bank of England, however, this is now changing, with CSPs being called in to process operations that are more integral to the core running of banks.  

“We’ve crossed a further threshold in terms of what sort of systems and what volumes of systems and data are being outsourced to the cloud,” said Sam Woods, the chief executive officer of the Prudential Regulation Authority (PRA). “As you’d expect, we track that quite closely.” Last year, the Bank of England opened bidding for a cloud build partner, with the goal of creating a fit-for-purpose cloud environment that could better support operations in a digital-first environment. At the time, the institution said that it had already been in talks with Microsoft’s Azure, Google Cloud and Amazon’s AWS, and that it would likely be targeting Azure in a first instance. The possibility of adopting a multi-cloud strategy was also raised. There are many benefits to moving financial services to the public cloud. For example, while using old-fashioned, on-premises data centers incurs extra expenses, a recent analysis by the Bank of England estimated that adopting the ready-made services offered by hyperscalers could reduce technology infrastructure costs by up to 50%. Another advantage of public cloud services is that they are more resilient. The sheer scale of CSPs enables them to implement infrastructure that integrates multiple levels of redundancy, and as such, is less vulnerable to failures.  Moving to the cloud, therefore, is not intrinsically detrimental to banking services – quite the contrary. But the main sticking point, according to the regulators, lies in the concentration of major players that dominate the cloud market. According to tech analysis firm Gartner’s latest numbers, the top five cloud providers currently account for 80% of the market, with Amazon holding a 41% share and Azure representing nearly 20% of the market. “As of course a market becomes more concentrated around one supplier or a small number of suppliers, those suppliers can exercise market power around of course the cost but also the terms,” said Bailey.  “That is where we do have a concern and do have to look carefully because that concentrated power on terms can manifest itself in the form of secrecy, opacity, not providing customers with the information they need in order to be able to monitor the risk in the service. And we have seen some of that going on.” As Bailey stressed, part of the reason for CSPs to remain secretive comes down to better protecting customers, by not opening up key information to potential hackers. But the regulator said that a careful balance has to be maintained on transparency, to enable an appropriate understanding of the risks and resilience of the system without compromising cybersecurity. Leighton James, the CTO of UKCloud, which provides multi-cloud solutions to public sector organizations across the country, explains that these issues are not unprecedented, and it is unsurprising to see them trickle down to the financial services. “We’re anxious about cloud providers becoming so big that the terms and conditions are pretty much ‘take it or leave it’. We’re definitely seen that happening already in the public sector, and we can definitely see it happening in the financial services sector if we are not careful,” James tells ZDNet. According to James, part of the risk stems from traditional banks attempting to compete against new disruptive players in the sector. Financial institutions are now rushing to overhaul their legacy infrastructure and catch up with the digital-native customer experiences that were born in the cloud and are now widely available thanks to fintech companies.  “It’s clearly imperative for the financial sector to modernize and adopt digital technologies,” says James. “The question becomes how best they can do that by balancing the risk of digital transformation.” And in this scenario, the risks of placing all of banks’ eggs in a handful of CSP’s baskets is too high, argues James.  The Bank of England has similarly urged financial institutions to exert caution when developing their digital transformation strategies, and is currently in talks with various regulators to discuss how to best tackle those risks. With cloud concerns widely shared by other nations, especially in the EU, those discussions are likely to become international, and the UK’s central bank predicts that global standards will be created to develop a consistent approach to the issue.  More

Update (July 16, 2021): Artwork Archive told ZDNet it received notice a month or so ago about a single open S3 bucket — a folder where it keeps publicly shareable reports. It addressed it, and after a review by its team, it found no suspicious activity. Artwork Archive said it has also alerted users about this issue. Researchers say a platform used to connect artists and potential buyers leaked the personally identifiable information (PII) of users. 

On Friday, the WizCase team, led by Ata Hakçıl, said that misconfigurations in an Amazon S3 bucket belonging to Artwork Archive exposed over 200 000 files. Based in Denver, Colorado, Artwork Archive is marketed as a platform to “give artists, collectors, and organizations a better way to manage their art.” Software solutions are offered on a subscription basis to manage both the purchase and sale of artwork. The security researchers discovered the bucket, which did not require any authentication to access, on May 23.In total, 421GB of data was exposed. Dating back to August 2015, the records related to over 7000 artists, collectors, and galleries, and “potentially their customers, too,” according to WizCase. Data available to view included full names, physical addresses, and email addresses.  Purchase details, too, were exposed. WizCase found approximately 9000 invoices, as shown below, including the price of artwork and sales agreements, alongside revenue reports.
WizCase

WizCase

In addition, “exported contacts” were stored in the bucket, containing full names, phone numbers, email addresses, city and country, and company affiliations of individuals.”These were usually contacts an artist added to Artwork Archive via their contact management feature and included art institutions, individual artists, art collectors, friends, and family,” the researchers say.  Finally, WizCase discovered inventory reports which listed artwork owned by “specific artists, buyers, and galleries.”  Artwork Archive was made aware of the security issue on May 23 and secured the storage system three days later, on May 26.  ZDNet has reached out to Artwork Archive, and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have provided a deep dive into Toddler, a new Android banking Trojan that is surging across Europe. 

In a report shared with ZDNet, the PRODAFT Threat Intelligence (PTI) team said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking malware attacking countries, including Spain, Germany, Switzerland, and the Netherlands. Toddler was first disclosed by Cleafy following its discovery in January. While still under active development, the mobile Trojan has been used in attacks against the customers of 60 European banks.   In June, Bitdefender said that Spain and Italy were infection hotspots, although the UK, France, Belgium, Australia, and the Netherlands were also being targeted. According to PTI, in an analysis of the malware this year, Spain has secured the top spot for cyberattacks. So far, at least 7 632 mobile devices have been infected. After infiltrating a command-and-control (C2) server used by the Trojan’s operators, the researchers also found over 1000 sets of stolen banking credentials.  Although researchers from multiple organizations have tracked Toddler to malicious .APK files and Android apps, infection vectors vary. While the Trojan has not — as of now — been found on Google Play, numerous legitimate websites have been compromised to host and serve the malware.  

While Toddler is pre-configured to target the users of “dozens” of banks across Europe, the company has found that 100% of infections detected, so far, relate to only 18 financial organizations. In total, five of the companies accounted for close to 90% of attacks — which the team believes may indicate a successful SMS-based phishing campaign.  Toddler is run-of-the-mill Trojan software in many ways. It contains the functions you would typically expect: the ability to steal data, including banking details, keylogging, taking screenshots, intercepting two-factor authentication (2FA) codes, SMS interception, and connecting to a C2 to transfer information, accept commands, and link the infected device to a botnet.  The Trojan will use overlay attacks to dupe victims into submitting their EU bank credentials by displaying fake login screens. Upon installation, the malware monitors what legitimate apps are being opened — and once target software is launched, the overlay attack begins. “Toddler downloads the specially-crafted login page for the opened target application from its C2,” PRODAFT noted. “The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened.”The malware will also attempt to steal other account records too, such as those used to access cryptocurrency wallets.  The C2’s command list includes activating an infected device’s screen, prompting permission requests, changing volume levels, attempting to grab codes from Google Authenticator via Accessibility, and uninstalling apps.  The level of persistence this Trojan is able to maintain is unusual. Toddler contains multiple persistence mechanisms — the most notable of which is preventing an infected device from being rebooted by abusing Accessibility functions. Toddler can also prevent a handset from being used in safe mode. “Toddler sets a new precedent for persistence module implementation,” the researchers say. “Removal of the malware from the device requires huge technical expertise, and it looks like the process will not get easier in the future.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese advanced persistent threat (APT) group is spreading fake Zoom software to spy on targets in South East Asia. 

The group, dubbed LuminousMoth by Kaspersky, is focused on cyberespionage and the theft of information from high-profile targets. Dating back to at least October 2020, roughly 100 victims have been detected in Myanmar, and close to 1,400 have been recorded in the Philippines. However, these infection rates may not tell the whole story, as the researchers believe that only a small subset of these numbers was of interest to the APT and were exploited further.  LuminousMoth’s true targets, in particular, are government agencies in both of these countries and abroad. According to the researchers, the preliminary rate of infection may be due to LuminousMoth’s initial attack vector and spreading mechanisms, deemed “noisy” and unusual for an APT to adopt.  The APT begins by sending spear phishing emails that contain Dropbox download links to a .RAR archive, named with political or COVID-19 themes. This file contains two malicious .DLL files which are able to then pull and deploy malicious executables on an infected system.  Once this stage of infection has been completed, LuminousMoth will download a Cobalt Strike beacon and side-load two malicious libraries designed to establish persistence and to copy the malware onto any removable storage drives connected to a victim system.

In cases noted by Kaspersky, the threat actors have then deployed a fake Zoom app, software that has become a lifeline — alongside Microsoft Teams, and others — for many businesses forced to go remote during the COVID-19 pandemic.  The software, signed by an organization in Shanghai, is actually used to exfiltrate files of interest to LuminousMoth. Any file found with pre-defined extensions is copied and transferred to a command-and-control (C2) server.   LuminousMoth will also look for cookies and credentials, including those used for Gmail accounts.  “During our test, we set up a Gmail account and were able to duplicate our Gmail session by using the stolen cookies,” Kaspersky says. “We can therefore conclude this post-exploitation tool is dedicated to hijacking and impersonating the Gmail sessions of the targets.” The APT’s activities also appear to overlap with HoneyMyte/Mustang Panda, another Chinese-speaking group, linked to an attack against the office of Myanmar’s president (1,2).  LuminousMoth and HoneyMyte have adopted similar tactics during campaigns including C2 overlaps, .DLL side-loading, the deployment of Cobalt Strike beacons, and similar cookie-stealing functionality. “Both groups, whether related or not, have conducted activity of the same nature — large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest,” the researchers say.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft’s war against private exploit and offensive security sellers continues with a strike against Sourgum. 

On July 15, the Microsoft Threat Intelligence Center (MSTIC) said that the Redmond giant has been quietly tackling the threat posed to Windows operating systems by the organization, dubbed a “private-sector offensive actor” (PSOA).  A tip provided by human rights outfit Citizen Lab led Microsoft to the PSOA, dubbed Sourgum, a company said to sell cyberweapons including the DevilsTongue malware. “The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents,” Microsoft says.  Approximately half of DevilsTongue victims are located in Palestine, but a handful has also been traced back to countries including Israel, Iran, Spain/Catalonia, and the United Kingdom. According to the Citizen Lab, Sourgum is based in Israel and counts government agencies across the globe among its customers.  With the assistance of Citizen Lab, Microsoft has examined the unique malware family developed by Sourgum and has now pushed protections against it in Windows security products. This includes patching previously unknown vulnerabilities, CVE-2021-31979 and CVE-2021-33771. 

These two vulnerabilities were listed as actively exploited in Microsoft’s latest security update, known as Patch Tuesday, which is issued on a monthly basis. They are both described as Windows Kernel privilege escalation security flaws.  Microsoft says that the exploits are “key” elements of wider attack chains used by Sourgum to target Windows PCs and browsers in order to deliver DevilsTongue. Browser exploits appear to be used in one of the initial attack stages, where they are served through malicious URLs and sent via messaging services including WhatsApp.  The modular malware is described as “complex” with “novel capabilities.” While analysis is ongoing, Microsoft says that DevilsTongue’s main functionality is stored in encrypted .DLL files, only decrypted when loaded into memory, and both configuration and tasking data are separate from the main payload.  DevilsTongue can be used in both user and kernel modes and is capable of .DLL hijacking, COM hijacking, shellcode deployment, file collection, registry tampering, cookie theft, and the extraction of credentials from browsers. A feature of note is a module dedicated to decrypting and extracting conversations taking place over Signal. The malicious code also contains sophisticated obfuscation and persistence mechanisms.  “With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves,” Microsoft says. “The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.” Detection data has also been shared with the wider security community.  “We’re providing this guidance with the expectation that Sourgum will likely change the characteristics we identify for detection in their next iteration of the malware,” the company added. “Given the actor’s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.” In related news this week, Microsoft disclosed a third vulnerability impacting the Windows Print Spooler service, joining the duo of security flaws known as PrintNightmare. Tracked as CVE-2021-34481, the bug can be exploited to obtain system-level privileges locally. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The threat of ransomware dominates the cyber news right now, and rightly so. But this week Rachael Falk, chief executive officer of Australia’s Cyber Security Cooperative Research Centre, made a very good point. Ransomware is “totally foreseeable and preventable because it’s a known problem”, Falk told a panel discussion at the Australian Strategy Policy Institute (ASPI) on Tuesday. “It’s known that ransomware is out there. And it’s known that, invariably, the cyber criminals get into organisations through stealing credentials that they get on the dark web [or a user] clicking on a link and a vulnerability,” she said. “We’re not talking about some sort of nation-state really funky sort of zero day that’s happening. This is going on the world over, so it’s entirely foreseeable.” There are “four or five steps you could take that could significantly mitigate this risk,” Falk said. These are patching, multi-factor authentication, and all the stuff in the Australian Signals Directorate’s Essential Eight baseline mitigation strategies. The latest Essential Eight Maturity Model even comes with detailed checklists for Windows-based networks. “Companies are on notice that this is a risk for them,” Falk said. “There’s a known problem often, and a known fix, but people haven’t done it.”

So given this laziness, given that cyber wake-up calls have been ignored since the 1970s, and given that organisations continue to willfully fail to follow the advice they’re given, your correspondent has a question. Has the time come to let Darwinism loose? Should we let all these lazy organisations get hacked, and just let God sort them out? “I love that approach,” Falk said. “It is glacial-like movement, and I think the only change now that might accelerate it is legislation, which obviously government is potentially seeking to introduce at the moment,” she said, referring to proposed changes to critical infrastructure laws. Maybe we’ll only start paying attention when there’s more 5G, more device-to-device communication, and more personal dependence on the network. “I kind of wonder, though, in a macabre kind of way, will the test be when people just can’t use their phones for half an hour,” Falk said. “That’s when you’ll get people going, oh, we just have to have law about this because we can’t cope with [no] iPhones, internet, fridge, streaming, Netflix, you name it.” OK, we’re joking. Probably. In cybersecurity as in public health, blaming the victim is counterproductive. And in many cases it’s the customers and citizens who’d really suffer from ransomware and other cyber attacks that take out an organisation. “It could really, really impact life, and be a threat and risk to life. So I think people have to start thinking about this as not some sort of a joke,” Falk said. “The fact that we joke about, oh, the internet being down for 30 minutes, it could be the matter of a medical procedure is stopped and someone dies halfway through.” In Germany last year, for example, a patient died following a ransomware attack on a hospital in Duesseldorf, which caused her to be re-routed to a hospital more than 30 kilometres away. A police investigation found that she probably would have died anyway, but next time we may not be so lucky. ASPI’s ransomware policy recommendations Fortunately, a global consensus on how to tackle ransomware does seem to be emerging. Just one example is a new report from ASPI’s International Cyber Policy Centre, Exfiltrate, encrypt, extort: The global rise of ransomware and Australia’s policy options, of which Falk is co-author. On the vexed question of whether organisations should pay a ransom or not, the report recommends that paying them should not be criminalised. Instead, there should be a “mandatory reporting regime … without fear of legal repercussions”. This would be a major step in transparency. Out of all the major ransomware incidents in Australia — Toll Holdings, BlueScope Steel, Lion Dairy and Drinks, legal document-management services firm Law in Order, Nine Entertainment, Eastern Health in Victoria, Uniting Care Qld, and JBS Foods — only JBS has admitted to paying a ransom of $11 million. Such a scheme has already been proposed by Labor in its Ransomware Payments Bill 2021 introduced onto parliament last month as part of its national ransomware strategy. The ASPI report recommends expanding the role of the ASD’s Australian Cyber Security Centre (ACSC) to include the real-time distribution of publicly available alerts. ACSC should also publish a list of ransomware threat actors and aliases, giving details of their modus operandi and key target sectors, along with suggested mitigation methods. The ASD is already known to be using its classified capabilities to warn of impending ransomware attacks. The report also recommends tackling the “low-hanging fruit” of incentivisation and education. This includes incentives such as tax breaks for cyber investment, grants, or subsidy programs; a “concerted nationwide public ransomware education campaign, led by the ACSC, across all media”; and a “business-focused multi-media public education campaign”, also led by the ACSC. “[This campaign should] educate organisations of all sizes and their people about basic cybersecurity and cyber hygiene. It should focus on the key areas of patching, multifactor authentication, legacy technology, and human error.” Finally, the report recommends creating a “dedicated cross-departmental ransomware taskforce”, including state and territory representatives, to share threat intelligence and develop policy proposals. Your correspondent finds none of these recommendations unreasonable, though there are perhaps questions about whether ACSC is currently well-equipped to run an effective and engaging major public information campaign. Nevertheless, given how slowly Australian organisations have adapted to cyber risks over the last couple of decades, maybe we need a little less carrot and a bit more stick. Related Coverage More

After a pair of PrintNightmare vulnerabilities, the last thing the Windows Print Spooler needed was a third vulnerability, and yet it exists. Microsoft has announced CVE-2021-34481 allows for local privilege escalation to the level of SYSTEM. “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said. “An attacker must have the ability to execute code on a victim system to exploit this vulnerability. “The workaround for this vulnerability is stopping and disabling the Print Spooler service.” Microsoft rates the exploitability of the vulnerability as “more likely”. “Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created,” Microsoft’s exploitability index explained.

Microsoft said it was creating a patch, and that the vulnerability was not introduced in its July 13 set of updates. The company has been scrambling to properly patch its Print Spooler service recently. Initially, a critical bug that allowed for remote code execution was announced and labelled as CVE-2021-1675. Exploits were publicly available after Microsoft’s patches failed to fix the issue completely and security researchers that had already published their code, said they deleted it, but it was already branched on GitHub. Microsoft then dropped CVE-2021-34527 later in the week, which had much the same description of running code as SYSTEM as CVE-2021-34481. Unlike the new vulnerability, this one can be run remotely. Related Coverage More

Organisations should provide a proper channel through which anyone can report vulnerabilities in their systems. This will ensure potential security holes can be identified and plugged before they are exploited. Establishing a vulnerability disclosure policy (VDP) also would provide assurance to anyone, such as security researchers, acting in good faith that they would not face prosecution in reporting the vulnerability, said Kevin Gallerin, Asia-Pacific managing director of bug bounty platform, YesWeHack. In fact, creating such policies was more important than running bug bounty programmes, Gallerin said in a video interview with ZDNet. He noted that more companies today were embracing the need for a VDP, detailing a “safe and clear framework” through which information about security vulnerabilities could be submitted and how these should be handled within the organisation. 

Without a proper policy in place, security researchers might be less inclined to report a vulnerability or, when they did so, might not receive a response since the organisation’s employees lacked guidance on what they needed to do.”The information [then] gets lost and forgotten until the vulnerability eventually gets exploited,” Gallerin said, adding that a proper VDP would provide a structured channel to report security issues and mitigate the affected organisation’s risks by reducing their time to remediation. “We’re a strong advocate for this.”YesWeHack’s service offerings include helping enterprises establish their VDP, integrating vulnerability management with their internal workflows, as well as review and recommend changes to their existing VDP. The vendor was seeing growing demand for both its bug bounty and VDP services in this region, including China, Indonesia, and Australia, Gallerin said.  

Headquartered in France, the vendor has an office in Singapore and currently is running bug bounty programmes for Southeast Asian e-commerce operator, Lazada, and Chinese telecoms equipment manufacturer, ZTE. Some 30% of its customer base are in this region, of which half are in Singapore. Gallerin told ZDNet that YesWeHack was targeting for Asia-Pacific to account for half of its global clientele, adding that the bug bounty platform currently works with some 10,000 security researchers in this region. It has a global network of more than 25,000 security researchers. Its triage team comprises full-time employees in Singapore and France, who divide their time between triaging–to assess submissions in bug bounty programmes–and supporting research and development projects for internal deployment as well as tools for the hunter community.It previously ran a private bug bounty programme for Lazada, which saw $150,000 in bounties handed out to bug hunters, he said, but declined to say how many vulnerabilities were identified. The e-commerce operator had started out with smaller, private bug hunting exercises before gradually scaling up and launching its public bug bounty programme last month with YesWeHack, Gallerin said.He noted that most companies in Asia, compared to their US or European counterparts, were less comfortable discussing potential vulnerabilities in their systems and preferred to run private bug bounty programmes. They did, however, realise there likely were security holes their own teams had overlooked and saw bug bounty programmes as a way to identify, and plug, potential vulnerabilities, he said. The main objective here was to prevent potential data breaches, he added, which was a common concern amongst Asian companies, especially as businesses today increasingly were collecting and managing large volumes of personal customer data. According to Gallerin, YesWeHack’s hacker community had been able to find at least one critical vulnerability–which enabled full access to user data or infrastructure–in most bug bounty programmes it ran. RELATED COVERAGE More