Information Technology

Those of us riding the Bitcoin (BTC) wave have watched interest in the cryptocurrency rise especially as the price of a single coin has now reached over $37,000. 

Bitcoin, Ethereum (ETH), and now Dogecoin (DOGE) — thanks to a few tweets by Elon Musk — have all come onto the radar of would-be traders, but as with every investment, scam artists are seeking means to cash in. 
Cryptocurrency is certainly not immune to scams or other threats. Cryptocurrency exchanges hit with cyberattacks can end up losing trader funds; exit scams still occur, and regulators are constantly battling fraud. 
We’re unlikely to see any end of crypto-related scams anytime soon, and in a new warning posted by Kaspersky, a new scheme is now targeting users of Discord. 
Discord is a messaging and voice chat service that caters to an estimated 300 million users, having branched out from a gamer-heavy community to general use for clubs and for friends to stay in touch. 
According to Kaspersky researcher Mikhail Sytnik, scam artists are now entering Discord servers and are sending private messages to users that appear to be from new, up-and-coming cryptocurrency exchanges. 
As new projects and ones that want to “support traders in difficult times,” these ‘exchanges’ try to attract users with promises of free cryptocurrency. And, of course, the recipient is the lucky one chosen for free BTC or ETH. 

Naturally, such a scam doesn’t attempt to attract users with a paltry offering; instead, thousands of dollars’ worth of cryptocurrency is being awarded. Lucky you.
Each message contains instructions and a code for accepting the “gift,” Kasperksy notes, as well as a link to register on the fake exchange. 
Kaspersky
“The link opens a site that looks like a cryptocurrency exchange, with an adaptive layout, savvy design, and the exchange rate info, charts, order books, and trading history that cryptocurrency traders would expect to see on a trading platform,” the researchers say. “Visitors will also find technical support and several language options. Someone clearly went to a lot of trouble to make the site look legit.”
As cryptocurrency wallets are now a top target for threat actors, the websites will also offer “two-factor authentication” and “phishing protection” options to try and appear legitimate. 

Kaspersky
Victims going through the registration process are then lured to provide a substantial personal profile, including contact details, photo ID, a selfie, and a signature.
While these checks are now common on legitimate cryptocurrency trading posts, this information can be packaged up and sold to other cybercriminals, or could potentially be used in identity theft. 
In the final step of this particular scheme, once the prize ‘code’ is submitted and accepted, the scammers require a small “top-up” in either BTC, ETH, or USD to process the gift. Should a victim hand over their cash, of course, it’s gone for good. 
Fake exchanges are only one attack vector used by scam artists in the cryptocurrency sector — Initial Coin Offerings (ICOs), too, are constantly abused. 
In January, a resident of San Francisco was jailed for six months after defrauding investors of cryptocurrency worth an estimated $20 million by pretending to be an ICO consultant. He has been ordered to pay $4.4 million in restitution. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Stormshield, ZDNet, Bophomet Zhang
French cyber-security firm Stormshield, a major provider of security services and network security devices to the French government, said today that a threat actor gained access to one of its customer support portals and stole information on some of its clients.

The company is also reporting that attackers managed to steal parts of the source code for the Stormshield Network Security (SNS) firewall, a product certified to be used in sensitive French government networks, as part of the intrusion.
The company said it’s investigating the incident with French cyber-security agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), which is currently assessing the breach’s impact on government systems.
“As of today, the in-depth analysis carried out with the support of the relevant authorities has not identified any evidence of illegitimate modification in the code, nor have any of the Stormshield products in operation been compromised,” Stormshield said in a message posted earlier today on its website.
The Stormshield incident is currently being treated as a major security breach inside the French government. In its own press release, ANSSI officials said they’ve put Stormshield SNS and SNI products “under observation” for the duration of the investigation.
But in addition to reviewing the SNS source code, Stormshield said it also took other steps to prevent other forms of attacks, in case the intruders had access to other parts of its infrastructure.
The French company said it also replaced the digital certificates that they used prior to the incident to sign SNS software updates.

“New updates have been made available to customers and partners so that their products can work with this new certificate,” the company said.
Intruders also accessed some customer data
Furthermore, the French security firm said it also reset passwords for its tech support portal, which the attackers breached, and the Stormshield Institute portal, used for customer training courses, which wasn’t breached, but the company decided to reset passwords as a preventive measure.
Based on the results of its current investigation, Stormshield said the intruders appeared to have also accessed personal and technical data for some of its customers.
“All the support tickets and technical exchanges in the accounts concerned have been reviewed and the results have been communicated to the customers,” Stormshield said.
A Stormshield spokesperson told ZDNet that about 2% of accounts were affected in the security breach, which is “around 200 accounts out of more than 10,000.”
Stormshield, which is a fully-owned subsidiary of Airbus CyberSecurity, could say if the attack was conducted by a nation-state group at this point in the investigation, the company told ZDNet.
Article updated at 13:15 ET with comment from Stormshield. More

Cisco’s AppDynamics has launched a new solution for tackling security and exploit management while preserving application performance.

AppDynamics, the tech giant’s application performance management (APM) arm, now offers Cisco Secure Application, software built natively into the AppDynamics platform.
On Thursday, Cisco said that the “AppDynamics with Cisco Secure Application” will “drastically simplify vulnerability management, defend against attacks, and protect applications.”
While APM solutions usually focus on scrutinizing the performance of applications, the new offering has been designed to bring cybersecurity into the mix. 
As businesses feel the strain of extended working from home models set to continue into the foreseeable future, the transition from just BYOD to full remote working, for some organizations, has increased their potential cyberattack exposure and is also applying pressure to existing data management protocols. 
With enterprise operations now spread across on-premise, hybrid, and cloud systems, Cisco says that data is being shifted from pillar to post, and when combined with remote laptops and devices, this situation is “testing the limits of monitoring practices and vastly expanding the IT perimeter, creating new weaknesses and vulnerabilities in even the most secure IT estates.”
As a result, some corporations may be choosing to sacrifice either security or performance. However, it is hoped that the new software introduced by the company will take some of the load off IT teams. 

Secure Application includes automatic runtime protection, deviation identification and blocks, simplified vulnerability management at the code level — including dependency and configuration-level bug detection — and threat data correlated with an app’s infrastructure and potential relevant business impact.
“With applications now running anywhere from on-premise to multi-cloud and cloud-native microservices, combined with accelerated innovation, the need for an application-led approach to security is paramount,” Cisco says. “This critical shift will enable technologists to identify vulnerabilities within the application during production, correlate vulnerabilities and breaches with business impact, and bring together application and security teams to facilitate speedy remediation.”
AppDynamics with Cisco Secure Application is now accessible through early availability programs. 
AppDynamics was acquired by Cisco in 2017 for $3.7 billion. In related news, in December, Cisco purchased Dashbase to leverage the software startup’s log and events analytics technology and improve AppDynamics’ observability platform. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A form of ransomware that was once the most popular choice among cyber criminals has made a comeback and is being used to target healthcare.
Back in 2017, Cerber was the most dominant family of ransomware, at one point accounting for 90% of all ransomware attacks targeting Windows systems.

More on privacy

What helped make it so prolific was its ‘as-a-service’ model, whereby Cerber’s authors allowed other cyber criminals to use their code – complete with an easy-to-use service portal – in exchange for a percentage of any bitcoin made in ransom payments.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
Typically, ransoms only amounted to a few hundred dollars – minuscule compared to today’s ransomware attacks demanding hundreds of thousands or millions of dollars in exchange for a decryption key – but the potency of Cerber led to a lot of victims giving in to ransom demands, providing a profitable business model for both Cerber authors and affiliates.
By 2018, it looked as if Cerber had disappeared, replaced by other forms of ransomware as cyber-criminal business models changed and attackers went after whole enterprise networks and started demanding much higher sums for decryption keys.
But Cerber is back with cybersecurity researchers at security company VMware Carbon Black identifying it as the most common ransomware targeting healthcare during 2020.

Analysis of 239 million attempted cyberattacks targeting Carbon Black customers in healthcare found Cerber to be the most common form of ransomware, accounting for 58% of ransomware attacks attempting to target the sector.
Cerber might be one of the older forms of ransomware, but the prolific way it’s being distributed by phishing emails and compromised websites suggests that it’s still effective.
“Although old malware variants such as Cerber tend to resurface, these are often re-factored to include new tricks, though at the core are still leveraging tried and true techniques,” said Greg Foss, senior cybersecurity strategist at VMware Carbon Black.
“All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware,” he added.
Some of the other most prolific ransomware attacks targeting healthcare include Sodinokibi, VBCrypt, Cryos and VBKrypt.
Hospitals are, unfortunately, a regular target for cyber criminals distributing ransomware because healthcare relies on systems being accessible in order to provide patient care.
This sometimes leads to hospitals quickly opting to pay a ransom demand, because it’s seen as the best way to avoid compromising the health of patients – and increasingly, stopping cyber criminals from publishing stolen data, which in healthcare can be highly sensitive.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
For cyber criminals, healthcare also makes an appealing target because the 24/7 nature of the sector means that it can be difficult to take parts of the network offline in order to install the relevant patches and security updates to protect against cyberattacks exploiting known vulnerabilities.
However, it’s crucial that healthcare finds a way of applying these patches. Not only can they help protect the hospital from falling victim to cyberattacks in the first place, taking part of the network offline to apply updates is going to be much less painful than the whole hospital network being taken offlie by a ransomware attack.
MORE ON CYBERSECURITY More

The new practices would require project maintainers to be identifiable, accountable, and authenticated.
Image: Getty Images/iStockphoto
Open-source software should be more secure than closed source, but only if people are inspecting it and that’s not an easy job, Google argues. 
But to ensure future software supply chain attacks don’t involve key open-source software projects, some of Google’s top engineers have proposed new ‘norms’ that might cause problems with open-source contributors – if their project is considered “critical”. 

Open Source

If the industry as a whole can decide that a particular project is “critical”, Google has suggested new practices that would require project owners and maintainers to be identifiable, accountable, and authenticated. That would mean no more changes to code at will, and subjecting changes to third-party review.  
SEE: Hiring Kit: Python developer (TechRepublic Premium)
Google acknowledges its suggestions for critical open-source software are more “onerous” on project owners, and so it is expecting resistance to its recommendations. 
Google admits “we are but one voice in a space where consensus and sustainable solutions matter most of all.” But it’s a powerful voice in tech. The company has outlined its suggestions for attaining these goals in the blogpost. 
Rob Pike, a key designer of Google’s Go programming language, and Eric Brewer, and VP Infrastructure & Google Fellow argue in a new blogpost that the industry should agree to “define collectively the set of “critical” software packages, and apply these higher standards only to this set.” 

The objectives for critical open-source software include:
No unilateral changes to code. Changes would require code review and approval by two independent parties
Authenticate participants. This means owners and maintainers cannot be anonymous; contributors are required to use strong authentication (eg 2FA)
There need to be notifications for changes in risk to the software
Enabling transparency for software artifacts
Create ways to trust the build process  
“The [goals are] more onerous and therefore will meet some resistance, but we believe the extra constraints are fundamental for security,” the engineers explain. 
The first set of goals Google wants the industry to consider for all open-source software are less contentious, but would still require more work and address issues that even Google finds challenging.   
The first three key objectives overall for all open-source software include:
Know about the vulnerabilities in your software
Prevent the addition of new vulnerabilities, and
Fix or remove vulnerabilities.
The recent supply chain attacks involving SolarWinds and others that led to the compromise of thousands of organizations involved closed source or proprietary software. 
While open source doesn’t suffer from ‘security through obscurity’, it doesn’t follow that open source is actually free of vulnerabilities.
“Open-source software should be less risky on the security front, as all of the code and dependencies are in the open and available for inspection and verification. And while that is generally true, it assumes people are actually looking,” they write. 
Open-source software projects, particularly Java and JavaScript/Node.js, rely on thousands of direct and indirect dependencies, making them tough to explore for vulnerabilities.  
The Google engineers note that it is “impractical to monitor them all” and, they add, many open-source packages are not well maintained.
“Open source likely makes more use of dependencies than closed source, and from a wider range of suppliers; the number of distinct entities that need to be trusted can be very high,” they write. 
“This makes it extremely difficult to understand how open source is used in products and what vulnerabilities might be relevant. There is also no assurance that what is built matches the source code.”
SEE: Microsoft 365 vs Google Workspace: Which productivity suite is best for your business?
To address supply chain attacks, the industry needs to focus on addressing the “majority of vulnerabilities” because attackers frequently pursue known vulnerabilities rather than finding their own. 
The problem for organizations using open source is that few verify all the packages they’re using. Even Google finds this task difficult. 
“Tracking these packages takes a non-trivial amount of infrastructure, and significant manual effort.
“At Google, we have those resources and go to extraordinary lengths to manage the open-source packages we use—including keeping a private repo of all open-source packages we use internally—and it is still challenging to track all of the updates. The sheer flow of updates is daunting.”
Google sees automation as a way forward to address the torrent of updates to open-source packages.  More

A LockBit ransomware controller has given researchers a glimpse into lone-wolf operations and the reasons why he chose to go down a criminal route. 

In an interview this week with the Cisco Talos cybersecurity team (.PDF), an operator of LockBit explained his modus operandi, his preferred targets, tool use, and why it is difficult to become a white-hat specialist in his thought-to-be country of residence, Russia. 
Ransomware has become a serious threat to the enterprise in recent years. While ransomware can cause personal devastation to individuals who suddenly find themselves locked out of their PCs and with little recourse to recovering their files unless they pay a ransom demand in return for a decryption key — usually required in cryptocurrency such as Bitcoin (BTC) — businesses face consequences that can be far worse. 
Once a ransomware variant has infiltrated a corporate network and has finished its encryption spree, victims are faced with disruption and may be forced to suspend core services. If backups are not readily available, cybercriminals can potentially demand thousands and thousands of dollars, on pain of either keeping resources encrypted or potentially leaking sensitive corporate data. 
According to Coveware, the average payout decreased in Q4 2020 to $154,108 in comparison to $233,817 in the third quarter. However, as long as organizations give in and pay up, the ransomware market will remain lucrative. 
During Cisco Talos’ interview with the LockBit operator, referred to as “Aleks” and thought to be located in the Siberian region of Russia, he claimed to be self-taught in skills including penetration testing, network security, and reconnaissance. 
Aleks, believed to be in his early 30s, secured a job with an IT company while finishing a university degree, but demonstrated “a general sense of disappointment, at times even resentment, for not being properly appreciated within the Russian cyber industry,” Talos says. 

“His frustration was evident during our conversations, with him disparaging several well-known Russian cybersecurity companies,” the interview reads. “He also remarked that, “In the West, I would probably work in white [hat security] and earn easily…” suggesting that his perceived underappreciation and low wages drove him to participate in unethical and criminal behavior.”
Several examples of such “underappreciation” were noted, including being rebuffed when he reported security issues in websites, including a Russian social network. His “well-intentioned efforts were ignored,” Aleks claimed, which further drove him down a cybercriminal path. 
However, even if your country does not appreciate legitimate researchers, there is still the option of participating in bug bounties — and there is a demand globally for assistance in securing online assets. 
The LockBit operator appears to be disillusioned with this industry, telling Talos that companies are doing their best to forgo paying bug bounty hunters for their findings. 
“This stands completely at odds with our professional observations from the security community,” the researchers noted. “It may be the case that Aleks chooses to view vulnerability programs through this lens to account for his own decision to not participate in them or because he has heard inaccurate stories from other threat actors.”
His motives for becoming a ransomware operator, however, do not seem to be purely financial. During the interview, Aleks said that while ransomware is profitable, he also wanted to “teach” companies the “consequence of not properly securing their data.”
Aleks also said that “for a cybercriminal, the best country is Russia,” and victim organizations in the United States and Europe “will pay quicker and more” than targets in post-Soviet states. 
The threat actor claimed that when it comes to organizations with cyberinsurance, a payout is “all but guaranteed,” and in Europe, companies are also under more pressure to pay as they are “scared” of the consequences of violating the EU’s GDPR data protection regulations.
“It is not unusual for criminals to view their own actions as justifiable after the fact even if there was no real moral ambiguity to the crime,” Cisco Talos concluded. “In this case, the lack of jobs that meet his satisfaction, appears to be the introductory course to cybercrime. His feelings of underappreciation, resentment, and economic incentive are common motivators of illicit cyber activity, and his story, as portrayed to us, illustrates how one could be driven toward cybercrime.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Digital Defense has been acquired by HelpSystems in a bid to improve the firm’s vulnerability management and penetration testing services. 

On Wednesday, HelpSystems said the purchase of Digital Defense will assist “threat-weary” IT teams by providing additional tools and services to improve infrastructure security and risk assessment capabilities. 
The financial terms of the deal were not disclosed. 
Founded in 1999, San Antonio, Texas-based Digital Defense is a cybersecurity firm that provides a Software-as-a-service (SaaS) platform to enterprise clients. The platform includes vulnerability scanning, network asset analysis, and risk score generation to help IT teams focus remediation efforts. 
According to HelpSystems, the SaaS solutions will be integrated into the firm’s existing portfolio “to give organizations end-to-end infrastructure protection.”
The purchase builds upon the acquisition of Core Security assets from SecureAuth in 2019 and Cobalt Strike, a penetration testing company, in 2020. Digital Defense will be joining these groups, combining identity management, pen testing, threat detection, vulnerability scanning, and risk assessment. 
“The addition of Digital Defense offers threat-weary IT teams the capabilities they need to increase infrastructure security on two fronts: via leading-edge vulnerability management technology as well as seasoned pen testing resources to broaden our existing expertise,” commented Kate Bolseth, HelpSystems chief executive.

In other cybersecurity acquisition news this month, Rapid7 purchased Kubernetes security technology provider Alcide for approximately $50 million. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netlab, the networking security division of Chinese security firm Qihoo 360, said it discovered this week a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet.
Named Matryosh, the botnet is going after Android devices where vendors have left a diagnostics and debugging interface known as Android Debug Bridge enabled and exposed on the internet.
Active on port 5555, this interface has been a known source of problems for Android devices for years, and not only for smartphones but also smart TVs, set-top boxes, and other smart devices running the Android OS.
Over the past few years, malware families like ADB.Miner, Ares, IPStorm, Fbot, and Trinity, have scanned the internet for Android devices where the ADB interface has been left active, connected to vulnerable systems, and downloaded and installed malicious payloads.
According to a report published this week, Netlab said Matryosh is the latest in this long line of ADB-targeting botnets, but one that comes with its own twist.
This uniqueness comes from using the Tor network to hide its command and control servers and the use of a multi-layered process for obtaining the address of this server —hence the botnet’s name, inspired from the classic matryoshka Russian dolls.

Image: Netlab
Netlab researchers, who are usually among the firsts to discover emerging botnets, said the botnet contains several clues to suggest this is the work of the same group which developed the Moobot botnet in 2019 and the LeetHozer botnet in 2020.

Both botnets were essentially built and used for launching DDoS attacks, which also appears to be Matryosh’s primary function, as well.
The Netlab team says they found functions in the code specific to features that will use infected devices to launch DDoS attacks via protocols like TCP, UDP, and ICMP.
Very little that users can do
As it was stated in previous articles about the “ADB issue,” there is very little that end users can do about it.
While smartphone owners can easily turn off their ADB feature using a setting in the OS options, for other types of Android-based devices, such an option is not available on most devices.
Hence, as a result, many systems will remain vulnerable and exposed to abuse for years to come, providing botnets like Matryosh and others with a solid mass of devices they can abuse for crypto-mining, DNS hijacking, or DDoS attacks. More