Information Technology

Cyber criminals are increasingly going after the pharmaceuticals industry by targeting employees with phishing and malware campaigns tailored to take advantage of potential security vulnerabilities in smartphones and tablets.
Pharmaceuticals is an extremely high-profile target right now, as drug companies attempt to develop a vaccine for COVID-19 and there have already been several recorded instances of nation-state-backed hacking campaigns attempting to steal intellectual property from medical research institutions.

More on privacy

And researchers at mobile cybersecurity company Lookout say there’s been a spike in mobile phishing attacks targeting pharmaceutical employees over the course of this year as cyber criminals attempt to gain access to sensitive data.
SEE: Cybersecurity: Do these ten things to keep your networks secure from hackers
The company analyses security telemetry from almost 200 million mobile devices and over 125 million mobile apps from across its customer base: the claim comes following analysis of de-identified and aggregated data from Lookout customers in the pharmaceutical industry. 
According to the report, one of the reasons for the rise in attacks targeting mobile devices is because of the shift to remote working as a result of the coronavirus pandemic – meaning employees suddenly became more reliant on mobile devices to be productive while working from home.
While email remains the most common avenue for phishing attacks, the wide variety of messaging apps and social media platforms people use on their smartphones provide hackers with a number of different options for delivering tailored messages and malicious links.

“Since most of us use personal mobile devices for work, attackers can socially engineer us using countless channels, such as SMS, iMessage, 3rd party messaging platforms, and social media platforms,” Hank Schless, senior manager of security solutions at Lookout, told ZDNet.
“The attacker can tailor their phishing message depending on which of these options they decide to use. Since we have our mobile device on us all the time, we also tend to trust messages that are sent to them, which makes mobile phishing attacks more effective,” he added.
In many cases, the aim of phishing attacks is credential harvesting, with the attacker looking to trick a victim into handing over their username and password. With this, the cyber criminal can log in as the employee and move around the network infrastructure in an effort to find and steal sensitive data.
Hackers are also targeting smartphones and tablets of people working in pharmaceuticals in an effort to deliver malware – something researchers at Lookout say has more than doubled this year.
These attacks attempt to trick the victim into downloading malware onto their device, which then allows the attacker to secretly monitor the device in the background, snooping on the activity of the user and enabling attackers to gain access to files and storage drives.
“In pharma, mobile devices are used across the entire supply chain from research and development to trialling and all the way to manufacturing and distribution. With so much proprietary data being stored in cloud services and accessed through smartphones and tablets, a successful exploitation could lead to serious legal and compliance-related ramifications for the company,” said Schless.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Forms of malware that attackers are attempting to deliver include Monokle, SilkBean and Wroba trojan.
One of the reasons why malware is proving to be effective against mobile devices is because a significant number of users continue to use out-of-date operating systems.
Applying operation system updates and security patches goes a long way to protecting users against malicious attacks but organisations and individual users often don’t do this swiftly, potentially enabling hackers to exploit known vulnerabilities that have security fixes.
In order to help protect employees – and, therefore, the whole organisation – from falling victim to hackers targeting smartphones, security updates for mobile devices should be treated as if they’re traditional endpoints and should be applied as quickly as possible.”To fully secure your pharmaceutical workforce, mobile devices need to be included in your overall security strategy,” said Schless.
MORE ON CYBERSECURITY More

Capcom has confirmed that a recent security incident was due to a Ragnar Locker ransomware infection, potentially leading to the exposure of customer records. 

This week, the Japanese gaming giant confirmed that the company had fallen prey to “customized ransomware” which gave attackers unauthorized access to its network — as well as the data stored on Capcom Group systems. 
The firm says it has “verified that some personal information has been compromised,” adding that the ransomware outbreak “destroyed and encrypted data on its servers.”
See also: Capcom quietly discloses cyberattack impacting email, file servers
A ransom payment was demanded, but it does not appear that Capcom bowed to blackmail.
Capcom has provided an extensive list of confirmed and potentially compromised records. As of November 16, the firm has verified that the personal information of former employees — including names, signatures, addresses, and passport information — was exposed. These “five items” join “four items” relating to current employees and their names, as well as human resource records.
Capcom says that sales reports and financial information was also impacted, but has not gone into further detail. 

Together with the confirmed leaks of data, Capcom has also provided a list of potentially exposed records, choosing to list them as worst-case scenarios:
The PII of customers, business partners, and more: 350,000 items
Japan’s customer service video game support, help desk: 134,000 items, including names, addresses, phone numbers, email addresses
North America: Capcom Store member information: 14,000 items, including names, dates of birth, email addresses
Esports operations website members: 4,000 items, including names, email addresses, gender
Shareholder lists: 40,000 items, including names, addresses, shareholder numbers, amounts
Former employees and family: 28,000 people, applicant data (125,000 people): names, dates of birth, addresses, phone numbers, and more
Human resources data: 14,000 people
Confidential corporate information: business partner records, sales documents, and more
Capcom is keen to emphasize that no credit card data has been included in the breach, as payments are managed by a third-party.
CNET: Trump fires top cybersecurity official for debunking election fraud claims
“Because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time,” the firm says.
The security incident occurred on November 2. Email systems and a number of file servers were impacted and so the company temporarily cut some services to stop the attack — and also warned investors that “inquiries and/or requests for documents” would not be answered. 
ZDNet learned at the time that Ragnar Locker ransomware may be to blame. In a ransomware note displaying the Capcom brand, the attackers behind the infection demanded that the company get in touch to negotiate a blackmail payment. 
TechRepublic: How to secure your Zoom account with two-factor authentication
The company is working with law enforcement in Japan and the US, as well as external security experts, as part of an investigation into the cyberattack. Capcom also says a new cybersecurity advisory board will be created “towards preventing any reoccurrence.”
“Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders,” the company says. “In order to prevent the reoccurrence of such an event, it will endeavor to further strengthen its management structure while pursuing legal options regarding criminal acts such as unauthorized access of its networks.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Previously unknown malware has been detected in widespread attacks against e-commerce customers in Latin America. 

The malware, dubbed Chaes by Cybereason Nocturnus researchers, is being deployed by a threat actor across the LATAM region to steal financial information. 
In a blog post on Wednesday, the cybersecurity team said Brazilian customers of the area’s largest e-commerce company, MercadoLivre, are the focus of the infostealing malware.
See also: Lazarus group strikes cryptocurrency firm through LinkedIn job adverts
Headquartered in Buenos Aires, Argentina, MercadoLivre operates both an online marketplace and auctions platform. In 2019, an estimated 320.6 million users were registered with the e-commerce giant. 
First detected in late 2020 by Cybereason, Chaes is spread via phishing campaigns, in which emails claim that a MercadoLivre purchase has been successful. To try and increase the email’s look of legitimacy, the threat actors also appended a “scanned by Avast” footnote. 
The messages contain a malicious .docx file attachment. Assaf Dahan, Cybereason Head of Threat Research, told ZDNet the attachment leverages “a template injection technique, using Microsoft Word’s built-in feature to fetch a payload from a remote server.”

If a victim clicks the file, the vulnerability is used to establish a connection with the attacker’s command-and-control (C2) server, as well as download the first malicious payload, an .msi file.
This file then deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin, that both act as the malware’s “engine.” A further trio of files — hhc.exe, hha.dll and chaes1.bin — are installed that stitch together Chaes’s main components. A cryptocurrency mining module was also recorded. 
CNET: Rules for strong passwords don’t work, researchers find. Here’s what does
Chaes creates registry keys to maintain persistence for the malware’s main engine and will deploy modules disguised as legitimate processes in order to steal system information, extract sensitive information from Google Chrome browser sessions, harvest login credentials for online accounts, and exfiltrate financial information; in particular, when the MercadoLivre domain is visited.
Of particular note is Chaes’ ability to open a Chrome session. Activity is monitored and controlled through API hooking and the Node.js library Puppeteer. MercadoLivre and MercadoPago pages can be accessed without consent on infected machines. The malware is also able to take screenshots of MercadoLivre pages visited and send them to the C2.
“The alarming part in this node.js-based malware is the fact the majority of this behavior is considered normal, as the usage of the Puppeteer library for web scraping is not malicious by nature,” the team says. “Therefore, detecting these kinds of threats is much more challenging.”
TechRepublic: Hackers for hire target victims with cyber espionage campaign
However, Chaes appears to be under active development, as revised versions of the malware are more direct in targeting MercadoLivre pages that relate to e-commerce purchases. 
Cybereason is currently exploring whether or not the malware is being used in campaigns against other e-commerce companies, and warns that Chaes may indicate a “possible future trend in using the Puppeteer library for further attacks in other major financial institutions.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Mozilla
Mozilla laid out on Tuesday the steps it will take to put the final nails into the coffin containing Adobe Flash.
“Firefox version 84 will be the final version to support Flash. On January 26, 2021 when we release Firefox version 85, it will ship without Flash support, improving our performance and security,” Mozilla said in a post.
“There will be no setting to re-enable Flash support. The Adobe Flash plugin will stop loading Flash content after January 12, 2021.”
Users in the nightly and beta channels will see support disappear when the 85 build hits them, with nightly losing support on Tuesday, and the beta channel set to lose Flash support on December 14.
Mozilla said if a company required Flash licensing support after it ends, they should get in contact with Samsung’s Harman for Adobe-endorsed support.
It’s been a long road to finally killing off Flash in browsers.
Adobe announced the ending of Flash updates and distribution in July 2017. Flash-ending crusader Apple only got around to removing the technology in Safari 14, which appeared in September.

Browser makers had previously taken steps to cage Flash. For instance, Mozilla moved to prevent Flash running by default last year.
Earlier on Tuesday, Firefox released version 83 that shipped a feature allowing users to only browse the web on HTTPS sites.
If Firefox 83 cannot make a HTTPS connection, the browser will show an error to the user and ask them to click a button to confirm they want to access a website via HTTP instead.
Firefox 83 is also the first version to support pinching to zoom on desktops.
Traditional zooming on Firefox causes the page to be reflowed as it zooms in, whereas pinching on Firefox 83 behaves as it does on mobile and only increases the size of content.
“Reflowing and non-reflowing zoom lend themselves to different use cases. Reflowing zoom is useful if, say, you’re reading an article but the text is a bit small for comfort,” Mozilla software engineer Botond Ballo said.
“Non-reflowing zoom is useful if, say, you want to zoom in on an image or diagram to get a closer look at it.”
Pinch zooming is currently supported on touchscreens and touchpads on Windows and Mac desktops, with Linux support labelled as a work in progress.
Related Coverage More

Image: CISA
In a pair of tweets published on Tuesday, US President Donald Trump announced that he “terminated” Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA), over a recent statement calling the recent presidential election the most secure in US history.
Trump claimed the statement was “highly inaccurate,” citing instead “massive improprieties and fraud” in an election he lost to Democrat candidate Joe Biden.

…votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.
— Donald J. Trump (@realDonaldTrump) November 18, 2020

A CISA spokesperson was not available for comment; however, Krebs confirmed the firing in a tweet from his personal account.

Prior to being terminated today, Krebs served as CISA Director for exactly two years and one day, since November 16, 2018, when the agency was formally founded.
Rumors that Trump was looking to fire the CISA top official began circulating last week when Krebs told multiple associates that he expected to be fired him following the agency’s efforts to counter voter disinformation campaigns during the recent election.
According to a Reuters report, Krebs got on Trump’s bad side after establishing and running Rumor Control, a web page on the CISA website where CISA experts debunked election fraud rumors, many of which the US president was actively promoting during and after the election as facts on his Twitter account.
Following the Reuters report, several Democrat officials and cyber-security experts came to Krebs’ defense.

Cyberscoop reported that while multiple Republican lawmakers previously lauded Krebs’ work at CISA in previous months, none came to his defense after drawing Trump’s ire.
“Chris Krebs is an extraordinary public servant and exactly the person Americans want protecting the security of our elections,” US Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, said in a statement today.
“It speaks volumes that the president chose to fire him simply for telling the truth.” More

CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, has continued its expansion, this time into Queensland.
The company said it has unified Queensland’s best cybersecurity talent, expertise, and capability to create the state’s leading full-service cybersecurity operator.
The launch follows CyberCX recently acquiring two Queensland-based cyber companies, Alcorn Group and Yell IT.
CyberCX said it would work closely with the University of Queensland and QUT to help it grow its Queensland workforce to around 200 over the next 18 months.
“Queensland is a key market focus for CyberCX. We are the country’s largest, sovereign cybersecurity player and we are passionate about protecting the communities we serve,” CyberCX CEO John Paitaridis said. “CyberCX is well placed to deliver mission-critical cybersecurity services to Queensland businesses and government leveraging our 600 plus cybersecurity specialists nationally.”
See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
CyberCX in late October also stood up operations in Western Australia after acquiring two local cyber firms, Asterisk Information Security and Diamond Cyber Security.

Similar to its Brisbane approach, CyberCX said it would work with ECU, UWA, and Curtin University to grow its Western Australian workforce to over 70 cybersecurity professionals over the next year. 
CyberCX, backed by private equity firm BGH Capital, was formed a year ago when it brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as Paitaridis, who was formerly Optus Business’ managing director.
Since launch, CyberCX has gone on an expansion spree, scooping up a number of local cybersecurity startups, which in addition to the Queensland and Western Australian acquisitions, includes identity management firm Decipher Works and cloud security specialists CloudTen in October; and two Melbourne-based startups, Basis Networks and Identity Solutions, in July.
CyberCX has also pushed into the New Zealand market in August, adding its first Kiwi acquisition in Insomnia Security a month later.
RELATED COVERAGE More

Managed.com, one of the biggest providers of managed web hosting solutions, has taken down all its servers in order to deal with a ransomware attack, ZDNet has learned today.

The attack took place on Monday, November 16, and the ransomware impacted the company’s public-facing web hosting systems, resulting in some customer sites having their data encrypted.
Managed.com said the incident only impacted a limited number of customer sites, which the company said it immediately took offline.
But hours after the attack, Managed.com said it also took down its entire web hosting infrastructure, which the company is now working to restore.
This included WordPress and DotNetNuke managed hosting solutions, email servers, DNS servers, RDP access points, FTP servers, and online databases.
Initially, the company passed the attack as unscheduled maintenance but eventually came clean in emails and messages provided by its tech support operators to an ever-increasing number of angry customers.
The company says it is now working with law enforcement to identify the attackers and restore customer systems as soon as possible.

But on online forums, Managed.com customers now fear that their sites will remain down for days or weeks. They cite a similar incident that took place at fellow web hosting provider A2 Hosting in May 2019, from which the company needed more than a month to recover, during which time a large number of customers had to wait for their sites and site data to be restored.
A Managed.com spokesperson did not return a request for comment before this article’s publication.
Managed.com now joins a long list of ransomware incidents that have impacted web hosting and data center providers. The list also includes Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.NET, Dataresolution.net, and Internet Nayana. More

I know it’s still hard for some of you to wrap your minds around it, but Microsoft really does support Linux these days. A case in point: Back in June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now, Microsoft has improved the Linux version of Defender, by adding a public preview of endpoint detection and response (EDR) capabilities.

This is still not a version of Microsoft Defender you can run on a standalone Linux desktop. Its primary job remains to protect Linux servers from server and network threats. If you want protection for your standalone desktop, use such programs as ClamAV or Sophos Antivirus for Linux.
For businesses, though, with workers from home now using their Macs and Windows PCs here, there, and everywhere, it’s a different story. While based on Linux servers, you’ll be able to use it to protect PCs running macOS, Windows 8.1, and Windows 10. 
With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventative antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.
Specifically, it includes:
Rich investigation experience, which includes machine timeline, process creation, file creation, network connections, login events, and advanced hunting.
Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.
In-context AV detection. Just like with the Windows edition, you’ll get insight into where a threat came from and how the malicious process or activity was created.
To run the updated program, you’ll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle Linux 7.2.
Next, to try these public preview capabilities, you’ll need to turn on the preview features in Microsoft Defender Security Center. Before you do this, make sure you’re running version 101.12.99 or higher. You can find out which version you’re running with the command: 

mdatp health

You shouldn’t switch all your servers running Microsoft Defender for Endpoint on Linux to the preview in any case. Instead, Microsoft recommends you configure only some of your Linux servers to Preview mode, with the following command:

$ sudo mdatp edr early-preview enable 

Once that’s done, if you’re feeling brave and want to see for yourself if it works, Microsoft is offering a way to run a simulated attack. To do this, follow the steps below to simulate a detection on your Linux server and investigate the case. 

Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears. 

Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command:./mde_linux_edr_diy.sh

After a few minutes, it should be raised in Microsoft Defender Security Center.

Look at the alert details, machine timeline, and perform your typical investigation steps.

 Good luck! 
Related Stories: More