Information Technology

Image: Getty Images
The Secretary of the Department of Home Affairs, Mike Pezzullo, has spoken out against hacked organisations that refuse assistance from the Australian Signals Directorate (ASD), likening it to refusing to cooperate with an air crash investigation. One such example was discussed in evidence to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Friday. “It was a nationally-known case involving a nationally-known company that [ASD director-general Rachel Noble] and I are declining to name at this point,” he said. According to Noble, the ASD first learned of the attack from media reports. “We try to reach out to the company to clarify if the media reports are true, and they don’t want to talk to us. So then we keep pushing,” Noble said. “Sometimes we have to use our own very senior level contacts, sometimes through people in this building [Parliament] who might know members of boards or chairs of boards, to try and establish trust and build a willingness to cooperate.” When a hacked company cooperates, ASD can typically map their networks and identify the criminality involved on the first day.

When the Victorian health system suffered a ransomware attack in 2019, for example, the malware was quickly identified, and the network was back up and running in four days. “What we left them with was also tools, training, and capability to identify, to protect themselves from a similar attack attack, but more quickly identify it happening again,” Noble said. However the unnamed company lawyered up, and it took a week for the ASD to get even basic network information. “Five days later we’re still getting a very sort of sluggish engagement of trying to get them to help provide data to us and deploy some of our tools so we can work out what’s happening on their networks. That goes for 13 days,” Noble said. “This incident had a national impact on our country. On day 14, we’re able to only provide them with generic protection advice, and their network is still down. Three months later, they get reinfected, and we start again.” Noble says this is why the ASD needs the powers which would be granted by legislation currently being reviewed, the Intelligence and Security: Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. “This legislation actually just gives us the authority, through Home Affairs, more leverage to expect these critical infrastructure providers to actually have better cybersecurity standards in the first place,” she said. “The best part of this legislation, from my point of view, is if they look after themselves, it doesn’t become work for my people. And if their defences are much higher, they’re keeping the low level crims out, and then we might be able to focus on the much more sophisticated highly organised criminal syndicates or state actors.” Unregulated libertarian cyberplanes endanger the commons Pezzullo says Parliament has a duty to “think about the regulation of cyberspace in the way that you would think about the regulation of other commons”. “Every time one of our planes go down, of course we collaborate with the investigators, and we work out where all the bodies were, and the wreckage of the parts, and we help with the safety investigation,” he said. Not only do we learn lessons from crashes, he said, but we also regulate the movement of aircraft through our skies. “The development of the internet’s been organic. It’s been driven by a somewhat unusual combination of libertarian impulses on the one hand, and profit-driven motivations on the other hand,” Pezzullo said. “Every time you connect, you are flying unsafely through airspace. We would not tolerate our airspace being ungoverned and unregulated by the state.” See also: How the FBI and AFP accessed encrypted messages in TrojanShield investigation Noble spruiked the advantages of cooperating with the ASD. “Our people in ASD are in hand-to-hand combat with criminals and state-based sectors every single day. We have the benefit of top secret intelligence provided to us from around the world, not just our own intelligence that we can gather, [and] 75 years of investment in technical capability to analyse and unpack it with an incredible posture and ability to understand, through our cyber defence capabilities, what’s happening on Australia’s internet.” Why would businesses refuse assistance? Apart from potential philosophical objections, Noble offered a range of theories. First, there’s what she called “ICT professional hubris”. Organisations want to believe they’ve got the technical skills and don’t need help. “We understand that people feel that way. That’s usually before they’ve actually fully appreciated what they’re dealing with,” Noble said. Second, the scenario Noble believes brings the lawyers into the room is when the organisation doesn’t have an incident response plan. They don’t know how they’ll manage public communication, relations with their suppliers and customers, potential brand damage, and other commercial interests. Third, there are questions of liability, ranging from matters of directors’ duties and whether they’ve been negligent, to acting on ASD advice which then has an adverse effect on the company. As PJCIS chair Senator James Paterson noted, some submitters to the inquiry have said the protection from liability offered in the Bill may not be sufficient. Pezzullo said this review of critical infrastructure law shouldn’t be seen as a standalone action. There’s work being done as part of the 2020 Cyber Security Strategy “that goes precisely to the question of corporations law, directors duties, [and] better practice regulation in this field”. “In fairness to the executive management teams that are grappling with this, things like insurance products, the actuarial costing and pricing of the risk, the depth of the reinsurance pool, the case law, is not particularly well formed,” Pezzullo said. “We really are in the early days of flight. It’s just that the adversaries learned how to fly and they got better planes at the moment than most firms.” Disrupting the Cyber Pirates of the Caribbean On the broader question of dealing with malicious actors online, Pezzullo said governments needed to go on the offensive. Police and intelligence agencies, sometimes with the assistance of military cyber forces, are striking at these actors in the “havens”, but some are beyond reach. “Regrettably states — some states — either turn a blind eye to their activities, or actively enable and sponsor them. Regrettably, state protection emboldens these malicious actors,” he said. One model to tackle this challenge might be the global counterterrorism model that was put in place after 9/11 to deal with al Qaida, but Pezzullo proposed something quite different. “Another model that I would suggest to this committee that is worth reflecting on, as you consider this bill and consider your report, is the campaign that was mounted in the 17th, 18th, and then in the beginning of the 19th century, to clear the world’s oceans of pirates, including the pirates of the Caribbean, who were defeated by Her Majesty’s warships of the Royal Navy, in concert with bringing law to a lawless ocean,” he said. “This is a problem with which we can deal, just as Britain overcame piracy. But we need the tools to do so, including the requisite legal authorities.” Related Coverage More

Stripe on Monday announced the launch of Stripe Identity, an identity verification system for online businesses. The self-service tool is designed to let businesses deploy a verification flow fully hosted by Stripe as a means of reducing fraud, preventing account takeovers and stopping bad actors.

“Businesses have been asking us for an easy and fast way to verify identities online. Stripe Identity offers them just that,” said Rob Daly, head of engineering for Stripe Identity. “Now, any internet business — from a five-person startup to a multinational enterprise — can begin securely verifying the identities of their users in a matter of minutes, not weeks or months.”Stripe Identity can be integrated via either a low-code or a no-code option. The low-code integration is hosted by Stripe lets businesses get up and running with verification in minutes, Stripe said. The no-code option lets fraud and risk teams generate verification links to assess suspicious transactions or high-risk users. As part of the identity verification process, users take a photo of their government ID and a live selfie, which Stripe’s machine learning then matches to the ID. Businesses can also request that users provide additional information that can be checked against third-party records.The information collected is encrypted and sent directly to Stripe, which means no sensitive, personal information is ever stored on a business’s own servers. The entire verification process for an individual user can be completed  15 seconds, Stripe said.The launch of Stripe Identity comes a week after the company rolled out Stripe Tax, a new compliance tool that lets businesses automate the calculation and collection of sales tax, value-added tax (VAT), and goods and services tax (GST). It also creates comprehensive reports that make it easier for businesses to file taxes.  More

Attackers behind the malware known as SolarMarker are using PDF documents filled with search engine optimization (SEO) keywords to boost their visibility on search engines in order to lead potential victims to malware on a malicious site that poses as Google Drive. 

ZDNet Recommends

According to Microsoft, SolarMarker is a backdoor malware that steals data and credentials from browsers. SEO poisoning is an old-school technique that uses search engines to spread malware. In this case, the attackers are using thousands of PDFs filled with keywords and links that redirect the unwary across multiple sites towards one that installs the malware. “The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”,” said Microsoft Security Intelligence in a tweet.    Crowdstrike raised an alarm about SolarMarker in February for using the same SEO poisoning tactics. The malware predominantly targeted users in North America. The attackers were hosting pages on Google Sites as lures for the malicious downloads. The sites were promoting document downloads and were often highly ranked in search results, again to boost search ranking. Microsoft researchers found the attackers have started using Amazon Web Services (AWS) and Strikingly’s service as well as Google Sites. 

“When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga,” Microsoft said. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file.” This typically leads to the SolarMarker/Jupyter malware, but Microsoft has also seen random files being downloaded as part of an apparent method to dodge detection, it added. It exfiltrates stolen data to a command-and-control server and persists by creating shortcuts in the Startup folder as well as modifying shortcuts on the desktop.

“Microsoft 365 Defender data shows that the SEO poisoning technique is effective, given that Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments,” Microsoft said. More

Ransomware is one of the key cybersecurity threats facing the UK and the cyber criminal groups behind them are becoming more dangerous, the UK’s cyber chief is to warn.Lindy Cameron, the head of the National Cyber Security Centre (NCSC) will say that the organisation – the cyber security arm of spy agency GCHQ – is committed to tackling the threat of ransomware and “supports victims of ransomware every day” but that a coordinated response is required to combat the growing threat.While state-sponsored hacking campaigns pose a “malicious strategic threat to the UK’s national interests”, it’s cyber crime – and in particular ransomware – which has become the biggest threat.”For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals,” Cameron is due to say in a speech to the Royal United Services Institute (RUSI) defence and security think tank.SEE: Network security policy (TechRepublic Premium)Recent incidents like ransomware attacks against like Colonial Pipeline and meat processor JBS, as well as the ransomware attack against the Irish healthcare service, have demonstrated how disruptive these cyber criminal campaigns can be to critical services.Meanwhile, UK organisations including businesses, government agencies, schools and universities have all fallen victim to ransomware attacks this year.

Not only are cyber criminal ransomware groups encrypting networks and demanding a significant payment in exchange of the decryption key, now it’s common for them to also steal sensitive information and threaten to release it unless a ransom is paid – often leading victims to feel as if they have no choice but to give in to the extortion demands.”As the business model has become more and more successful, with these groups securing significant ransom payments from large profitable businesses who cannot afford to lose their data to encryption or to suffer the down time while their services are offline, the market for ransomware has become increasingly professional,” Cameron will say.Ransomware is successful because it works; in many cases because organisations still don’t have the appropriate cyber defences in place to prevent cyber criminals infiltrating their network in the first place in what the NCSC CEO described as “the cumulative effect of a failure to manage cyber risk and the failure to take the threat of cyber criminality seriously”.But another reason it has become such a problem, particularly for the West, is because many of the most successful ransomware groups are working out of what Cameron described as “overseas jurisdictions who turn a blind eye or otherwise fail to act to pursue these groups”.Russia in particular is thought to be home to a number of cyber criminal ransomware groups, but the government doesn’t act on their activity because they’re not harming Russian businesses or citizens.”These criminals don’t exist in a vacuum. They are often enabled and facilitated by states acting with impunity,” she said. SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upHowever, Cameron will say it’s possible to fight against the blight of ransomware by combining the efforts of cybersecurity experts, the government and with wider international cooperation.”In some respects, our response to ransomware is straightforward: we need to continue to build the UK’s cyber resilience so that attacks cannot reach their targets in the first place,” she said.”But in many other respects it requires a whole of government response. This starts with the efforts to prevent the activities of the groups behind these damaging attacks”.However, ransomware isn’t just a problem for the UK alone and Cameron urged the importance of working with other countries to tackle what’s truly an international problem.MORE ON CYBERSECURITY More

The United States and other G7 countries have warned countries that allow ransomware groups to operate from within their borders, and don’t make any efforts to deter their actions, that they will be held accountable for their lack of action. The warning comes as the leaders of the G7 group of countries have jointly announced a commitment to fight what they described as the global challenge of ransomware.

ZDNet Recommends

The declaration – made by Canada, France, Germany, Italy, Japan, the United Kingdom and the United States at the G7 Summit in Cornwall, England – follows a string of high-profile ransomware attacks. SEE: Network security policy (TechRepublic Premium) Organisations that have had their networks encrypted by ransomware in recent weeks include Colonial Pipeline and meat processor JBS. Colonial paid cyber criminals over $4 million in Bitcoin in exchange for the decryption key for DarkSide ransomware, while JBS paid $11 million after getting hacked and having their network encrypted with REvil ransomware. Such is the extent of the problem that US President Joe Biden and the other G7 leaders have vowed to combine forces in an effort to combat ransomware attacks. “We’ve agreed that we’re going to work together to address cyber threats from state and non-state actors like criminal ransomware networks, and hold countries accountable that harbor criminal ransomware actors who don’t hold them accountable,” said President Biden.

A joint statement published following the G7 Summit specifically calls out Russia to do more when it comes to stopping cyberattacks and to “identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cyber crimes”. Many of the most notorious ransomware gangs are suspected to operate out of Russia and the consensus among cybersecurity experts is that Russian cyber criminals are allowed to conduct their operations, so long as they don’t target Russians. SEE: This new ransomware group claims to have breached over 30 organisations so far The G7 countries have also vowed to ensure that organisations – particularly those operating critical infrastructure – are secure against cybersecurity threats like ransomware. “The international community—both governments and private sector actors—must work together to ensure that critical infrastructure is resilient against this threat, that malicious cyber activity is investigated and prosecuted, that we bolster our collective cyber defenses, and that States address the criminal activity taking place within their borders,” said a White House statement. “The United States and our G7 partners are committed to working together to urgently address the escalating shared threat from criminal ransomware networks,” the statement added.

MORE ON CYBERSECURITY More

The US Securities and Exchange Commission (SEC) has charged a Florida national for his alleged role in three separate securities fraud scams. 

Edgar Radjabli, a former dentist, controlled Apis Capital Management LLC., marketed as an advisory firm that the SEC says was unregistered. Through this company, Radjabli allegedly controlled Apis Tokens as a managing partner, an offering called the “first tokenized hedge fund” which was based on the Stellar platform.  Apis Tokens were touted as a way for investors to access the ACM Market Neutral Volatility Strategy fund by converting cryptocurrency including Bitcoin (BTC) and Ethereum (ETH) into Apis Tokens and stakes in the fund.  “The offering model of the Apis Token is different from a traditional ICO, as it allows investors to subscribe throughout the month, with the funds collected deployed at month’s end and the tokens simultaneously issued to investors,” the company claimed. In June 2018, Apis Capital said that $1.7 million in funds had been raised and was “allocated to the strategy.” However, the SEC says that no money at all had been secured. By November, the organization said it intended to buy the blockchain AI division from White Company, and in December, Apis Capital claimed that the firm’s investment arm, Apis Ventures, was planning to buy Veritone for $200 million. 

The claimed deal placed Veritone shares at $10.26 per share, a 93% premium over the closing price on December 7, 2018.  “We are committed to completing this transaction and remain willing to work cooperatively with Veritone,” Radjabli said in a press release at the time. “Our vision for the company involves significant synergy with our growing portfolio of AI and machine learning investments, opening up new opportunities for Veritone’s technology.” Veritone is a publicly traded developer of operating systems for artificial intelligence (AI) solutions.  According to US regulators, “in truth, Radjabli and Apis Capital lacked the financing or any reasonable prospect of obtaining the financing necessary to complete the deal.” Instead, by hyping investor interest with a 93% premium price offering, shares surged — and Radjabli allegedly claimed $162,800 in profit by trading Veritone stock through both Apis Capital and an affiliated fund.  The fraudulent fund claim and the pump-and-dump stock scheme were also joined by a third scam allegedly pulled off by the ex-dentist, who also managed to raise close to $20 million from over 450 investors in an unregistered, fraudulent securities offering. The SEC says that Radjabli launched the offering through My Loan Doctor and told traders that cash raised would be used to find and sell on loans made to healthcare professionals to large investors. Instead, however, the bulk of the funds were allegedly invested in uninsured and unsecured loans, and close to $1.8 million was sent to Apis Capital. Radjabli, Apis Capital, and Loan Doctor have been charged with violating antitrust and securities laws.  A settlement has been agreed, subject to court approval, in which Radjabli and the two entities must pay $600,000 in damages. Conduct-based injunctions would also be put in place and Radjabli would be banned from penny stocks and the securities industry as a whole, if accepted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Volkswagen has revealed a data breach impacting over 3.3 million customers.

The majority of impacted individuals are either current or prospective buyers for Audi vehicles. 163,000 individuals are in Canada, whereas the rest are in the United States. On Friday, the automaker said that a compilation of data used for sales and marketing purposes between 2014 and 2019 was left unsecured and exposed online “at some point” between August 2019 and May 2021, although the exact timeline has not been established.  An associate vendor has been identified as the source of the breach but the company has not been named. Audi and Volkswagen were alerted that “an unauthorized third party” may have accessed this information on March 10.  Volkswagen says that first and last names, personal and/or business mailing addresses, email addresses, and phone numbers may have been exposed in the breach, alongside information concerning “vehicle[s] purchased, leased, or inquired about,” such as vehicle ID numbers, makes, models, years, and colors. Volkswagen has informed relevant authorities and law enforcement of the data breach. 

Reuters reports that regulators have been told that the majority of records only relate to phone numbers and email addresses, however, roughly 90,000 Audi customers and potential buyers in the US may have had purchase and lease eligibility data compromised, such as driving license numbers, dates of birth, Social Security numbers, account or loan numbers, and tax identification numbers.  Individuals whose sensitive data has been exposed will be offered free credit monitoring through an enrollment code.  The company says that anyone notified, but not offered this code, did not have information deemed sensitive compromised and so should stay alert for phishing emails or spam based on any of the basic data leaked.  Emails or letters may also be sent to those involved in the security incident who were not direct customers or prospective buyers.  “In a limited number of cases, an Audi or Volkswagen customer or interested buyer provided names and contact information for a relative or personal reference to an authorized dealer for purposes of seeking financing of some kind,” notification partner IDX says.  Volkswagen says that external cybersecurity experts have been pulled in to investigate the incident.  “Audi and Volkswagen are working with third-party cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor involved,” the firms say.  A help hub has been set up by IDX for those who believe they have been impacted by the data breach.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack. 

The San Francisco-based DevOps tool provider said in a blog post that the new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS. The uploader, used in the same manner as the existing Bash uploader, is used to push coverage data and updates to products during development cycles. The uploader is currently in the Beta stage and so is yet to be fully integrated, but Codecov says that “most standard workflows that are currently accomplished with the Bash Uploader can be accomplished with the new uploader.” Codecov’s Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15. By infiltrating Codecov’s network and hijacking the Bash uploader, the threat actors ensured that rather than pushing “healthier” code during project updates, as Codecov intends, users were, instead, subject to the theft of information stored in their continuous integration (CI) environments. The attack may have also allowed the attackers to “raid additional resources,” according to investigators brought in after the breach was made public — including credentials, potentially leading to wider network compromise in some cases. It is thought that hundreds of organizations may have become embroiled in the security incident. Known victims include Rapid7, Monday.com, Mercari, and Twilio. 

Codecov’s Bash uploader range — the Codecov-actions uploader for Github, CircleCl Orb, and Bitrise Step — were all impacted.  The company says that with the introduction of the new uploader, all other language-specific uploaders will be depreciated, with “special attention” paid to the Bash uploader at fault.  Codecov has been working on the NodeJS uploader for eight months, originally to reduce the increasing complexity of facilitating uploads and maintenance as the Codecov customer base increased.  Now that the Bash script is tied to a severe security incident, however, the upgrade has become an urgent necessity.  “The distribution mechanism of choice (i.e., curl pipe to bash) while incredibly convenient, is notoriously problematic from a security perspective,” Codecov said. “The weaknesses of the curl | bash approach came to the forefront during [the] recent security event.” The new uploader is now available for public use under the Beta umbrella and includes a more secure, verifiable distribution architecture, protections against unauthorized code modification, and an improved CI/CD pipeline for conducting automated testing of the uploader on Windows, Linux, and macOS. Codecov hopes to depreciate the Bash uploader from November, with a full sunset of the system planned for after February 1, 2022. The organization has also outlined other security improvements in the wake of the attacks.    Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More