Information Technology

Image: Centreon
France’s cyber-security agency said that a group of Russian military hackers, known as the Sandworm group, have been behind a three-years-long operation during which they breached the internal networks of several French entities running the Centreon IT monitoring software.
The attacks were detailed in a technical report released today by Agence Nationale de la Sécurité des Systèmes d’Information, also known as ANSSI, the country’s main cyber-security agency.
“This campaign mostly affected information technology providers, especially web hosting providers,” ANSSI officials said today.
“The first victim seems to have been compromised from late 2017. The campaign lasted until 2020.”
The point of entry into victim networks was linked to Centreon, an IT resource monitoring platform developed by French company CENTREON, and a product similar in functionality to SolarWinds’ Orion platform.
ANSSI said the attackers targeted Centreon systems that were left connected to the internet. The French agency couldn’t say at the time of writing if the attacks exploited a vulnerability in the Centreon software or if the attackers guessed passwords for admin accounts.
However, in the case of a successful intrusion, the attackers installed a version of the P.A.S. web shell and the Exaramel backdoor trojan, two malware strains that when used together allowed hackers full control over the compromised system and its adjacent network.

Image: ANSSI

In a rare step, ANSSI said it managed to link these attacks to an advanced persistent threat (APT) group known in the cyber-security industry under the name of Sandworm.
In October 2020, the US Department of Justice formally charged six Russian military officers for their participation in cyber-attacks orchestrated by this group, formally linking the Sandworm APT to Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army. 
Cyber-attacks previously carried out by this group included the energy grid crashes across Ukraine in 2015 and 2016, the NotPetya ransomware outbreak of 2017, the attacks on the PyeongChang Winter Olympics opening ceremony in 2018, and a mass defacement of Georgian websites in 2019.
In addition, the DOJ also linked this group to attacks against France, namely to spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” political party —an operation also referred to as the Macron Leaks.
Through the release of its report today, the ANSSI is now warning and urging both French and international organizations to inspect their Centreon installations for the presence of the two P.A.S. and Exaramel malware strains, a sign that companies been breached by Sandworm attacks in previous years.
A Centreon spokesperson did not reply to a request for comment before this article’s publication.
Despite the similarity in functionality between Centreon and the SolarWinds Orion apps, the Centreon attacks appear to be opportunistic exploitation of internet-exposed systems rather than a supply chain attack, as several security experts have pointed out today on Twitter.

Sandworm has been using webshells and the Linux version of the backdoor Exaramel against French entities undetected for more than three years.Initial attack vector is unclear, but malware was found on servers running Centreon (vulnerability more likely than supply-chain). https://t.co/ieUYV57hCF
— Timo Steffens (@Timo_Steffens) February 15, 2021 More

It was just another day for Luca Bongiorni, a security advisor for Bentley Systems. He’d just spun up an Ubuntu Linux 18.04 instance on the Microsoft Azure cloud using a corporate sandbox for testing purposes. Three hours later, on Bongiorni’s LinkedIn account he received a message from a Canonical sales representative saying, “I saw that you spun up an Ubuntu image in Azure,” and telling him he’d be his “point of contact for anything Ubuntu-related in the enterprise.” Say what??

Actually, Bongiorni was a little more “frank” about his annoyance and surprise that a Canonical salesperson had tracked him down on an entirely different service and knew that he had just used Ubuntu on Microsoft Azure. “What the f*** is happening here? WHY [did] MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?!” Customer privacy, what’s that?
Bongironi’s upset when big when well-known Amazon Web Services (AWS) blogger and Chief Cloud Economist at the Duckbill Group Corey Quinn called Microsoft out for sharing their customer’s data tweeting, “@azure had a GOLDEN opportunity to pull a ‘we don’t mine your data, we don’t compete with you, WHO KNOWS what @GCPcloud and @awscloud do with your confidential cloud info!’  Instead, they legit did exactly what their competitors don’t, but we worry about.”
So what the heck is happening here?
I asked Microsoft and they told me, “Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes.” 
The last is exactly what Canonical did. 
Canonical in response to this incident replied, “As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical’s CRM in accordance with privacy rules. On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies.”

Microsoft further muddied the waters when the company pointed me to section 3. Privacy and Data Protection of their Terms and Conditions. There you will find 3.a: Information Disclosed to Publishers. If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage. We will not share your Customer Data (as defined in this Section 3) with any Publisher without your permission.”
Color me puzzled. I am not a lawyer, but I’d think your contact information is Customer Data. And, certainly, this information was used for marketing. And, who can blame Canonical for wanting this information for marketing? If I were a “publisher,” I’d certainly want to know who’s using my product. 
It seems to me that Microsoft has created a real privacy muddle here with its privacy policy. While the T&C is certainly there, it’s not clear to me what information is shared with publishers and what restrictions they’re under in using that data. Making matters worse, the T&C is a click-wrap agreement. That is to say, like end-user license agreements (EULA) for PC programs, when you sign up for a cloud service you must agree to their T&C before you can use it.  That’s all well and good, but just like EULAs, almost no one reads them. 
Yes, a company’s in-house counsel should examine them, but normal users? I doubt that one-in-a-thousand actually reads such legal boilerplate. In any case, even if you did, it’s confusing enough that I, who cover intellectual property law issues for a living, certainly wouldn’t expect to get a marketing call from Canonical for using Ubuntu or for any other Azure software publisher and its programs. 
As Bongiorni tweeted, 

Where exactly it is visible any ToS?!
As soon as I clicked on “add new VM”, the first option suggested was Ubuntu 18.04.
I didn’t dig into the Azure Marketplace. I just picked the first option available since I quickly need a Linux-based test VM.

Bongiorni doesn’t blame the Canonical sales rep. “He just did what He has been told to do.The problem is with upper management I guess.”
Looking ahead though, Bongiorni doesn’t expect to be spinning any more instances of anything on Azure. He told The Register, he’s considering taking his work to a European-based closed provider “just to be sure there will be more transparency and more GDPR openness.”
Who could blame him?
Related Stories: More

Image: Chainalysis
Criminals who keep their funds in cryptocurrency tend to launder funds through a small cluster of online services, blockchain investigations firm Chainalysis said in a report last week.
This includes services like high-risk (low-reputation) crypto-exchange portals, online gambling platforms, cryptocurrency mixing services, and financial services that support cryptocurrency operations headquartered in high-risk jurisdictions.
Criminal activity studied in this report included cryptocurrency addresses linked to online scams, ransomware attacks, terrorist funding, hacks, transactions linked to child abuse materials, and funds linked to payments made to dark web marketplaces offering illegal services like drugs, weapons, and stolen data.
But while you’d expect that the money laundering resulting from such a broad spectrum of illegal activity to have taken place across a large number of services, Chainalysis reports that just a small group of 270 blockchain addresses have laundered around 55% of cryptocurrency associated with criminal activity.
Furthermore, expanding this group further, Chainalysis says that 1,867 addresses received 75% of all criminally-linked cryptocurrency funds in 2020, a sum estimated at around $1.7 billion.

Image: Chainalysis
“This level of concentration is greater than in 2019,” Chainalysis researchers said in a report published last week. “In particular, we see a much greater share of illicit cryptocurrency going to addresses taking in between $1 million and $100 million worth of cryptocurrency per year.”
“We believe the growing concentration of deposit addresses receiving illicit cryptocurrency reflects cybercriminals’ increasing reliance on a small group of OTC (over-the-counter) brokers and other nested services specializing in money laundering.”

Compared to three years ago, when criminal groups used a wider array of services, Chainalysis says this bottleneck in money laundering operations is good news.
The company believes that the cryptocurrency-related money laundering field is now in a vulnerable position where a few well-orchestrated law enforcement actions against a few cryptocurrency operators could cripple the movement of illicit funds of many criminal groups at the same time.
Furthermore, additional analysis also revealed that many of the services that play a crucial role in money laundering operations are also second-tier services hosted at larger legitimate operators.
In this case, a law enforcement action wouldn’t even be necessary, as convincing a larger company to enforce its anti-money-laundering policies would lead to the shutdown of many of today’s cryptocurrency money laundering hotspots. More

The months-long hacking campaign that affected US government agencies and cybersecurity vendors was “the largest and most sophisticated attack the world has ever seen,” Microsoft president Brad Smith has said, and involved a vast number of developers.
The attack, disclosed by security firm FireEye and Microsoft in December, may have impacted as many as 18,000 organizations as a result of the Sunburst (or Solorigate) malware planted inside SolarWinds’s Orion network management software.   
“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith told CBSNews’ 60 Minutes. 
Microsoft, which was also breached by the bad Orion update, assigned 500 engineers to investigate the attack said Smith, but the (most likely Russia-backed) team behind the attack had more than double the engineering resources. 
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” said Smith. 
Among US agencies confirmed to have been affected by the attacks include the US Treasury Department, the Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), and the US Department of State, and the US Department of Energy (DOE)
Smith has previously raised alarm over the attack because government backed cyber attackers focusing on the technology supply chain pose a risk for the broader economy. 

“While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy,” Smith said after disclosing the attacks. 
He said this was an attack “on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Smith highlighted to 60 Minutes that the attackers re-wrote just 4,032 lines of code within Orion, which consists of millions of lines of code. 
Kevin Mandia, CEO of FireEye also discussed how the attackers set off an alarm but only after the attackers had successfully enrolled a second smartphone connected to a FireEye employee’s account for its two-factor authentication system. Employees need that two-factor code to remotely sign in the company’s VPN.
“Just like everybody working from home, we have two-factor authentication,” said Mandia. 
“A code pops up on our phone. We have to type in that code. And then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name. So our security employee called that person up and we asked, “Hey, did you actually register a second device on our network?” And our employee said, “No. It wasn’t, it wasn’t me.”
Charles Carmakal, senior vice president and chief technology officer at FireEye’s Mandiant incident response team, previously told Yahoo News that FireEye’s security system alerted the employee and the company’s security team to the unknown device that supposedly belonged to the employee. 
The attackers had gained access to the employee’s username and password via the SolarWinds update. Those credentials allowed the attacker to enroll the device in its two-factor authentication system. 
The Orion updates weren’t the only way that companies were infiltrated during the campaign, which also involved the hackers gaining access to cloud applications. As many 30% of the organisations breached had no direct link to Solar Winds according to a report in The Wall Street Journal. More

A new phishing campaign is attempting to lure victims into downloading the latest version of a malware trojan – and it has links to one of the most prolific cyber-criminal operations active in the world today.
The Bazar trojan first emerged last year and a successful deployment of the trojan malware can provide cyber criminals with a backdoor into compromised Windows systems, allowing them to control the device and gain additional access to the network in order to collect sensitive information or deliver malware, including ransomware.

More on privacy

The backdoor has been used in attacks targeting industries including healthcare, technology, manufacturing and logistics across North America and Europe. Researchers have linked it to the developers of Trickbot, one of the most common forms of malware for criminal hackers looking to gain entry to networks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Now cybersecurity researchers at Fortinet have identified a new variant of Bazar trojan, which has been equipped with anti-analysis techniques to make the malware harder for anti-virus software to detect.
These include hiding the malicious APIs in the code and only calling on them when needed, additional code obfuscation, and even encrypting certain strings of the code to make it more difficult to analyse.
The new techniques were added to Bazar towards the end of January and coincided with a phishing campaign designed to distribute the updated version of the malware.

Themes used by the phishing emails designed to draw interest from potential enterprise victims include fake customer complaint reports, fake billing statements and the phony offer of a financial bonus.
No matter the theme of the email, the Bazar trojan phishing attacks attempt to encourage a potential victim to click a link that claims to redirect to a PDF containing additional information about the subject of the message.
These links lead to a malicious web page referencing the initial email and directs users towards downloading a file – it’s this which downloads Bazar to the system and executes the installation process for the malware.
Once completed, the attackers have a backdoor onto the compromised system that they can either use for their own malicious purposes, or sell on to other cyber criminals to exploit.
Fortinet warns that this particular Bazar phishing campaign remains active and attempted attacks are frequently being detected.
SEE: Network security policy (TechRepublic Premium)
In order to avoid falling victim to phishing attacks distributing Bazar or any other kind of malware, researchers recommended that organisations provide guidance to employees on how to identify and protect themselves from attacks and scams.
Organisations should also ensure they have a patching strategy in place, which prevents malware from being able to exploit known vulnerabilities as a means of gaining access to networks.
MORE ON CYBERSECURITY More

The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with the myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post last year.
The myGovID and the Australia Post Digital ID are essentially forms of digital identification that allow a user to access certain online services, such as the government’s online portal myGov.
There has been conversation around extending digital ID to allow the private sector and state government entities to develop their own platform, but legislation is required to allow such participation. The DTA has been consulting on how to best shape the legislation, proposing, among other things, an oversight body to provide “effective governance” of the digital identity system.
The legislation is aimed at providing a permanent, independent Oversight Authority body or bodies with responsibility for the governance of the system, but the Commonwealth Bank of Australia (CBA) has suggested that oversight is best left to existing, broad-based regulators and, where possible, industry self-regulation.
“For instance, the Office of the Australian Information Commissioner is best placed to review matters relating to privacy; the Australian Cyber Security Centre is best places to assist victims of cyber crime, and so on,” the bank wrote in its submission [PDF] to the DTA.
CBA believes that because certain consumers will potentially interact with different providers — both government and private sector, alongside existing regimes such as the Consumer Data Right — the “proliferation of regulators in the data economy would likely create confusion in the minds of citizens and increase barriers to redress”.
To the extent that an oversight committee is needed, CBA has recommended limiting its functions to interactions with participants, rather than to end users.

Telstra, meanwhile, used its submission [PDF] to focus on the idea that trust in the framework by users will be key to its success.
“It will be of vital importance for users to know that their personal information is safe, and can only be used in the way they authorise,” the telco wrote.
In this respect, it supports a governance and oversight body “that is truly independent — and, importantly, is also perceived to be independent”.
Although already accredited under the system, Australia Post agreed that a new, independent oversight body is required.
“Australia Post agrees that a new independent Oversight Authority should be created to oversee the system at the appropriate time. We believe a new body is best suited to navigate future challenges and opportunities,” it said in its submission [PDF].
“We believe an Oversight Authority should be made up of a representative group of participants, including non-government perspectives.”
RELATED COVERAGE More

Amazon Web Services (AWS) has asked for the introduction of a mechanism that can provide online account providers with immunity when responding to account takeover warrants issued by certain Australian law enforcement bodies.
The call for such a mechanism follows the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 being introduced into Parliament, which, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new warrants for dealing with online crime.
The first warrant is a data disruption warrant, which according to the Bill’s explanatory memorandum is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that will allow the agencies to take control of an account for the purposes of locking a person out of the account.
AWS said the first and third warrants are “formulated for fundamentally different objectives for law enforcement, compared to warrants that law enforcement agencies can currently seek”.
“These two warrants are intended not for the purpose of gathering evidence per se, but to allow law enforcement agents to effectively stand in the (online) shoes of persons suspected of engaging in potential criminal activity,” it wrote in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security as part of its review into the Bill.

“Though ancillary to existing warrants, both of these warrants are a significant departure from current provisions and their issue will involve an elevated risk to the liberty and privacy of citizens whose online accounts are impacted by law enforcement activities.”
AWS believes the execution of warrants by law enforcement or provision of assistance in good faith to law enforcement officers executing a warrant should not result in civil liability to a person.
It said that for account takeover warrants and assistance provided under assistance orders relating to account takeover warrants, there should be provision protecting third parties from liability.
“AWS submits that the Bill should be amended to introduce a new immunity for online account providers in relation to the execution of account takeover warrants,” it wrote.
“The immunity should extend to criminal and civil liability, or an action or other form of proceeding for damages, in relation to an act or omission done in good faith in purported compliance with, or in the furtherance of a requirement under, an account takeover warrant.”
AWS is also concerned the new warrants might force the cloud giant into introducing systemic weaknesses or vulnerabilities into its systems.
AWS raised similar issues a few years ago, previously stating that provisions of the Telecommunications and Other Legislation (Assistance and Access) Act 2018 could require actions that have the potential to make technology systems less secure.
Provisions were eventually included in the Act, which listed matters that decision makers had to consider when determining whether notices seeking industry assistance under that Act were reasonable and proportionate
For the latest draft legislation, it has requested that similar considerations be added and for technical feasibility to be an express consideration for those issuing warrants.
“Additionally, AWS submits that the execution of the warrants proposed in the Bill should not result in the introduction of systemic weaknesses or vulnerabilities into any form of electronic protection of data implemented in a technology provider’s systems,” it wrote.
“Such a warrant would be unreasonable in any circumstance as it would create significant and lasting risk to innocent third parties.”
Another request of AWS is that given the potential cross-over of legislative provisions in relation to seeking assistance, that the Bill use the criteria within the Assistance and Access Act to determine what is “reasonable and proportionate”.
“As drafted, the Bill does not provide, in our view, sufficient protection for individual employees of technology providers such as cloud services, and creates an assistance regime that is different from that specified for technology providers under the Assistance and Access Act,” AWS wrote.
“The Bill enables law enforcement to seek an assistance order requiring a specified person to provide any information or assistance that is reasonable and necessary to execute the warrant. A specified person includes an employee of the owner or lessee of the computer, or a person engaged under a contract for services by the owner or lessee of the computer, or a person who is or was a system administrator for the system including the computer.”
It said these definitions could include employees of a cloud service provider.
AWS is also concerned employees who might be ordered to either do an act or thing or omit to do an act or thing under an assistance order may then be forced to breach a foreign law or cause another person to breach a foreign law.
It has, as a result, asked the Bill make it clear that any such requirement would be unreasonable or provide a defence for an individual who refuses to do the act or make the omission.
RELATED COVERAGE More

The Australian Signals Directorate (ASD) expects intervention in the cyber attack response of companies considered critical infrastructure to only occur in “rare circumstances”.
As described in the current form of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, government assistance will be provided to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.
“In the rare circumstance of a serious cybersecurity incident impacting the availability of key critical infrastructure assets, Part 3A, Division 5 of the Bill provides a mechanism for government to directly assist an asset owner or operator in rapidly responding to, and remediating a cybersecurity incident,” the ASD explains in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
ASD may be requested by the Secretary of the Department of Home Affairs to assist in responding to a serious cybersecurity incident. The Minister for Home Affairs must consult with the asset owner or operator before authorising the Secretary to request ASD assistance, and the measures authorised must be “proportionate and technically feasible”.
Before stepping in, the government must be satisfied that a cybersecurity incident has occurred, is occurring, or is imminent; that the incident is having a relevant adverse impact on the functioning of a critical infrastructure asset; the incident is posing a material risk to the social or economic stability of Australia, its people, national defence, or national security; the relevant entity or entities are unwilling or unable to take all reasonable steps to respond to the incident; and no other options for a practical and effective response exist.
“Interventions under this provision are limited,” ASD said. “In responding to a critical cyber incident, ASD’s incident response teams will only be able to undertake actions specified in the Ministerial Authorisation.”
However, this may include accessing, modifying, or altering the functioning of computers and implementing mitigations, restoring from backups, and installing “incident response tools”.

It may also include accessing, restoring, copying, altering, or deleting software.
The tech community is concerned such governmental intervention would undermine the objectives of defence and recovery. Microsoft, for example, believes this would result in “The Fog of War”, further complicating any attempt to mitigate cyber attack response.
The draft legislation, which entered Parliament in December, also introduces a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the ASD, as well as enhanced cybersecurity obligations for those entities deemed critical infrastructure.
In its submission, ASD said its knowledge of domestic cybersecurity threats and vulnerabilities relies on the Australian community and industry to voluntarily report incidents.
“More incident reports to ASD through the provisions proposed in the Bill will assist in building improved national situational awareness and allow ASD to identify trends, and provide targeted advice to others in order to assist entities to better prepare and protect their networks and Australia’s critical infrastructure,” it told the PJCIS.
It said just over a third of all incidents reported to the ASD’s Australian Cyber Security Centre over the last 12 months have been from Australia’s critical infrastructure sectors.
“This is expected to be just a fraction of the number of cybersecurity incidents affecting critical infrastructure given the voluntary nature of reporting,” it said.
Under the proposal, once a responsible entity becomes aware of a cybersecurity incident, it must be reported within 12 hours if the incident is having a significant impact on the availability of the asset; or 72 hours if the incident is having an impact on the availability, integrity, or reliability of the asset or on the confidentiality of information about, or held by, the asset.
“The primary purpose of ASD receiving information under Part 2B will be to improve national situational awareness, allowing the production of anonymised mitigation advice to assist individual sectors or organisations more broadly to take steps to protect themselves,” ASD wrote.
HERE’S MORE More