Information Technology

Image: McAfee, ZDNet
Law enforcement agencies from Bulgaria and the US have disrupted this week the infrastructure of NetWalker, one of 2020’s most active ransomware gangs.

Bulgarian officials seized a server used to host dark web portals for the NetWalker gang, while officials in the US indicted a Canadian national who allegedly made at least $27.6 million from infecting companies with the NetWalker ransomware.
The seized servers were used to host pages where victims of NetWalker attacks were redirected to communicate with the attackers and negotiate ransom demands.
The same server also hosted a blog section where the NetWalker gang would leak data they stole from hacked companies, and which refused to pay the ransom demand — as a form of revenge and public shaming.

Image: ZDNet
Details about the Canadian national indicted today are not yet available beyond his name and residence — Sebastien Vachon-Desjardins, of Gatineau.
Vachon-Desjardins is currently believed to be an “affiliate,” a person who rented the ransomware code from the NetWalker creator.
This type of business is called Ransomware-as-a-Service, or RaaS, and is a common setup employed by many ransomware gangs today.

Prior to today’s takedown, NetWalker operated through topics posted on several underground forums by a user named Bugatti. This user advertised the ransomware’s features and looked for “partners” (aka affiliates) that would breach corporate networks, steal data to be used as leverage during negotiations, and install the ransomware to encrypt files.
If victims paid, Bugatti and the affiliate would split the ransom payments according to a pre-negotiated agreement.
According to US authorities, NetWalker has impacted at least 305 victims from 27 different countries, including 203 in the US.

Image: Chainalysis
A report from McAfee published in August 2020 claimed the NetWalker ransomware operation earned more than $25 million from ransom payments from March to July 2020 alone — a number that has gone up, as the gang continued to operate until today’s takedown.
In a report published today, blockchain analysis firm Chainalysis updated that figure to more than $46 million for the entire 2020, putting NetWalker in the year’s top 5 grossing ransomware strains, next to Ryuk, Maze, Doppelpaymer, and Sodinokibi.

Image: Chainalysis
The same Chainalysis report also claims that Vachon-Desjardins also worked as an affiliate for other ransomware gangs, such as Sodinokibi, Suncrypt, and RagnarLocker.
Besides charging the Canadian natioanl, the US DOJ also said it also managed to seize $454,530.19 in cryptocurrency believed to be linked to ransom payments made by three past NetWalker victims.
The NetWalker disruption also comes on the same day that Europol and its partners announced a takedown of the Emotet botnet. More

Updated on January 28 to correct date from March 25 to April 25. The error in interpreting the date was discovered by Malwarebytes earlier today. Original article, with the corrected date is below.
Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on April 25, 2021, ZDNet has learned today.

The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet.
While servers were located across multiple countries, Dutch officials said that two of three of Emotet’s primary command and control (C&C) servers were located inside its borders.
Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts.
According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on April 25, 2021, at 12:00, the local time of each computer.

Last chance to audit networks
“The technical disruption that the Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet,” Binary Defense senior director Randy Pargman told ZDNet today in an online chat.

“It forces the threat actors behind it to start over and attempt to rebuild from scratch, and it gives IT staff at companies around the world a chance to locate and remediate their computers that have been infected,” Pargman added.
Currently, the Europol takedown prevents the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known for doing.
But Emotet hosts where cybercrime gangs have already bought access remain at risk.
Pargman is now urging companies to take advantage of this time window until April 25 to investigate internal networks for the presence of the Emotet malware and see if other gangs used it to deploy other threats.
After Emotet uninstalls itself on April 25, such investigations will be harder to carry out.
Arrests in Ukraine
Since ZDNet’s early coverage of the Emotet takedown, Ukrainian police officials have also come out to announce they arrested two individuals who they believe were tasked with keeping Emotet’s servers up and running.
A video of the arrests and apartment searches is available below.
[embedded content] More

Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021, ZDNet has learned today.

The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet.
While servers were located across multiple countries, Dutch officials said that two of three of Emotet’s primary command and control (C&C) servers were located inside its borders.
Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts.
According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on March 25, 2021, at 12:00, the local time of each computer.

Last chance to audit networks
“The technical disruption that the Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet,” Binary Defense senior director Randy Pargman told ZDNet today in an online chat.
“It forces the threat actors behind it to start over and attempt to rebuild from scratch, and it gives IT staff at companies around the world a chance to locate and remediate their computers that have been infected,” Pargman added.

Currently, the Europol takedown prevents the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known for doing.
But Emotet hosts where cybercrime gangs have already bought access remain at risk.
Pargman is now urging companies to take advantage of this time window until March 25 to investigate internal networks for the presence of the Emotet malware and see if other gangs used it to deploy other threats.
After Emotet uninstalls itself on March 25, such investigations will be harder to carry out.
Arrests in Ukraine
Since ZDNet’s early coverage of the Emotet takedown, Ukrainian police officials have also come out to announce they arrested two individuals who they believe were tasked with keeping Emotet’s servers up and running.
A video of the arrests and apartment searches is available below.
[embedded content] More

Google has announced general availability of BeyondCorp Enterprise, a new security service from Google Cloud based on the principle of designing networks with zero trust. 

As US security companies come to terms with the SolarWinds supply chain hack, Google and Microsoft are talking up their capabilities in the cloud around zero trust. 
Microsoft last week urged customers to adopt a “zero trust mentality” and abandon the assumption that everything inside an IT network is safe and now Google has launched the BeyondCorp Enterprise service based around the same concept. 
“Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned),” explains the National Institute of Standards and Technology (NIST).  
“Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”
BeyondCorp Enterprise replaces BeyondCorp Remote Access, a cloud service Google announced in April in response to remote working due to the COVID-19 pandemic and the heightened need for virtual private network (VPN) apps. 
The service allowed employees to securely access their company’s internal web apps from any device and location. Google has been using BeyondCorp for several years internally to protect employee access to apps, data, and other users. 

“BeyondCorp Enterprise brings this modern, proven technology to organizations so they can get started on their own zero trust journey. Living and breathing zero trust for this long, we know that organizations need a solution that will not only improve their security posture, but also deliver a simple experience for users and administrators,” said Sunil Potti VP of Google Cloud Security. 
As Microsoft highlighted last week, the three main attack vectors in the SolarWinds attack were compromised user accounts, compromised vendor accounts, and compromised vendor software. These can be significantly mitigated by zero trust principles, such as restricting privileged access to accounts on that need them and enabling multi-factor authentication. It’s encouraging organizations to use Azure Active Directory for identity and access management versus on-premise identity management systems. 
Google’s main weapon in the fight against sophisticated attackers is Chrome through which it’s promising easy “agentless support”. Chrome has over two billion users, so it has scale too. 
Then there’s Google’s network with 144 network edge locations across 200 countries and territories, which helps back up its distributed denial of service (DDoS) protection service. 
Google is encouraging organizations to use the Google Identity-Aware Proxy (IAP) to manage access to apps running in Google Cloud. 
The pandemic and the SolarWinds hack has made security a bigger value proposition for companies like Microsoft and Google. For the first time, Google parent Alphabet on February 2 will break out cloud revenue as a separate reporting segment starting with its Q4 2020 results.
Other key security highlights for Chrome under the BeyondCorp Enterprise service include threat protection to prevent data loss and exfiltration and malware infections from the network to the browser; phishing protection; continuous authorization; segmentation between users and apps and between apps and other apps; and management of digital certificates. 
BeyondCorp Enterprise lets admins check URLs in real-time and scan files for malware; create rules for what types of data can be uploaded, downloaded or copied and pasted across sites; and track malicious downloads on company-issued devices and monitor whether employees enter passwords on known phishing sites. 

SolarWinds Updates More

A warning has been issued by UK watchdogs of a rise in clone company scams targeting those looking for investment opportunities to recover financially from COVID-19.

On Wednesday, the UK’s National Crime Agency (NCA) and Financial Conduct Authority (FCA) issued an alert to the public concerning “clone company” scams which appear to be claiming not only novice investors but also veteran players in the market.
The FCA says that these forms of scams are on rise, with increased rates reported since the UK went into its first lockdown during March 2020. 
In total, investors have lost over £78 million ($107m), a figure which is likely to continue to rise. Average losses are reported as £45,242 per victim, according to Action Fraud research.
Clone company investment scams go beyond typical phishing emails or dubious social media links promising an immediate return on your cash. Fraudsters use the same name, address, and Firm Reference Number (FRN) issued to authorized investment companies by the FCA and then during phishing, social media, and cold-call messages they send sales materials containing links to legitimate company websites. 
However, the masquerade only goes so far: once trust is established, investors are hoodwinked into parting with funds intended for the legitimate company, only for their money to go straight into the coffers of scam artists. 
It may not seem all that different from typical phishing campaigns, but this form of investment fraud technique is not as well-known as it should be. In an FCA survey, 75% of investors said they felt confident enough to spot a scam — but 77% did not know or were unsure of what a clone investment company was. 

“A clone firm scam can target anyone, they are usually smart fraudsters who often present opportunities which look very tempting indeed,” commented Watchdog presenter Matt Allwright. “When considering your next investment, make sure you only ever use the details listed on the FCA Register, and think about getting impartial advice before going ahead.”
The NCA recommends that traders reject all unsolicited investment offers whether made online, through social media, or through the phone, and to check both the FCA Register and warning list — as well as any telephone numbers associated with entities — before signing up for financial products. It is also worth seeking independent advice before taking the plunge in a new investment opportunity. 
Clone company scams that dupe even seasoned investors can be difficult to detect, but this is not the only form of financial fraud that has exploded online since the start of the pandemic. 
Earlier this month, Interpol warned of a flurry of investment scams taking over dating applications. “Matches” work to obtain a potential victim’s trust and then begin to peddle a fake investment opportunity, encouraging them to join and promising to help them on their way to make a fortune. 
Once the victim has parted with their cash, the match vanishes and they are locked out of their fake ‘investment’ account. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The world’s most prolific and dangerous malware botnet has been taken down following a global law enforcement operation that was two years in planning.
Europol, the FBI, the UK’s National Crime Agency and others coordinated action which has resulted investigators taking control of the infrastructure controlling Emotet in one of the most significant disruptions of cyber-criminal operations in recent years.

see also

Best VPN services
Virtual private networks aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices in VPN service providers and how to get set up.
Read More

Emotet first emerged as banking trojan in 2014 but evolved into one of the most powerful forms of malware used by cyber criminals.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    
Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware – regular themes include invoices, shipping notices and information about COVID-19.
Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware.
It resulted in Emotet becoming what Europol describes as “the world’s most dangerous malware” and “one of the most significant botnets of the past decade”, with operations like Ryuk ransomware and TrickBot banking trojan hiring access to machines compromised by Emotet in order to install their own malware.

The takedown of Emotet, therefore, represents one of the most significant actions against a malware operation and cyber criminals in recent years.
“This is probably one of the biggest operations in terms of impact that we have had recently and we expect it will have an important impact,” Fernando Ruiz, head of operations at Europol’s European Cybercrime Centre (EC3) told ZDNet. “We are very satisfied.”
A week of action by law enforcement agencies around the world gained control of Emotet’s infrastructure of hundreds of servers around the world and disrupted it from the inside.
Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new targets, something which will cause significant disruption to cyber-criminal operations.
“Emotet was our number one threat for a long period and taking this down will have an important impact. Emotet is involved in 30% of malware attacks; a successful takedown will have an important impact on the criminal landscape,” said Ruiz.
“We expect it will have an impact because we’re removing one of the main droppers in the market – for sure there will be a gap that other criminals will try to fill, but for a bit of time this will have a positive impact for cybersecurity,” he added.
The investigation into Emotet also uncovered a database of stolen email addresses, usernames and passwords. People can check if their email address has been compromised by Emotet by visiting the Dutch National Police website.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Europol is also working with Computer Emergency Response Teams (CERTs) around the world to help those known to be infected with Emotet.
In order to help protect against malware threats like Emotet, Europol recommends using anti-virus tools along with fully updated operating systems and software – so cyber criminals can’t exploit known vulnerabilities to help deliver malware. It’s also recommended that users are trained in cybersecurity awareness to help identify phishing emails.
The Emotet takedown is the result of over two years of coordinated work by law enforcement operations around the world, including the Dutch National Police, Germany’s Federal Crime Police, France’s National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK’s National Crime Agency, and the National Police of Ukraine.
The investigation into Emotet, and identifying the cyber criminals responsible for running it, is still ongoing.

MORE ON CYBERCRIME More

A US resident who masqueraded as a cryptocurrency consultant has been sentenced for embezzling cryptocurrency and cash fraudulently obtained from investors. 

The US Department of Justice (DoJ) said on Tuesday that Jerry Ji Guo, a resident of San Francisco, will spend six months behind bars and has been ordered to pay $4.4 million in restitution for his activities.
The 33-year-old former journalist admitted to reshaping himself as an expert and consultant on cryptocurrency and Initial Coin Offerings (ICOs). 
ICOs are investor events that originally formed to give emerging projects an alternative funding route to angel investment or loans. Participants in legitimate ICOs receive project-branded tokens for their contribution, and should the project succeed, this could allow investors to reap substantial profits. However, ICOs are risky and have paved the way for exit scams and fraud.  
In Guo’s case, he conned investors by promising he would perform “consultancy, marketing, and publicity services,” according to US prosecutors. However, instead of keeping his promise, investor cash and cryptocurrency — including Bitcoin (BTC) and Ethereum (ETH) ended up being drained from wallets used by companies to deposit funds up-front in order to secure his ‘services.’  
The cryptocurrencies taken from investors have surged in value over the past few years and the combined funds, with cash, are now worth an estimated $20 million. 
A federal grand jury indicted Guo in 2018 and he pleaded guilty to one count of wire fraud a year later. Seven other counts of wire fraud were dismissed. At the time of the indictment, Guo faced up to 20 years behind bars.

Alongside the prison sentence and reparation, Guo will also have to submit to three years of supervised release.
The DoJ’s Money Laundering and Asset Recovery Section obtained warrants in February 2020 to seize the stolen funds and says that the government “is [now] in a position to return the stolen property to the victims.”
Earlier this month, US prosecutors sentenced the former owner of RG Coins, Rossen Iossifov, to 10 years in prison after he was found guilty of laundering funds from online auction scams through his cryptocurrency exchange. 
The DoJ and FBI are constantly hunting down the perpetrators of cryptocurrency-related fraud and schemes, and now, the US Securities and Exchange Commission (SEC) maintains a list of both fiat investment and crypto businesses that consumers should be wary of. 
In January, SEC added a further eight cryptocurrency organizations to its watch list which tout everything from unrealistic returns to ICO legal protection, and risk-free cryptocurrency trading.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Chromebook users can sign in to websites with a PIN or fingerprint.
Image: Getty Images/iStockphoto
Google has finally brought Web Authentication (WebAuthn) passwordless authentication to Chrome OS to allow users to sign in to websites with a PIN or fingerprint used to unlock a Chromebook.
WebAuthn allows people to register and authenticate on websites or apps using an “authenticator” – such as a fingerprint or PIN – instead of a password. The World Wide Web Consortium (W3C) made WebAuthn an official web standard in 2019.

Of course, to take advantage of the Chrome OS version 88 update, people need to have a Chromebook with a fingerprint reader. But the feature also supports a device PIN, which is still easier to remember than passwords for every website. 
SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)
“Websites that support WebAuthn will let you use your Chromebook PIN or fingerprint ID – if your Chromebook has a fingerprint reader – instead of the password you’ve set for the website,” says Alexander Kuscher, director of Chrome OS.
Additionally, people who use Google’s two-step verification to sign in to a Google account don’t need to use a security key or phone to authenticate since the Chromebook PIN or fingerprint ID can be used as the second factor. 
Sites that support WebAuthn include Google, Dropbox, GitHub, Okta, Twitter and Microsoft. Google last year rolled out an update so people with iPhones could use WebAuthn with more types of security keys as the second factor to sign into a Google account.

As an added bonus, Google has rolled out a feature with Chrome OS 88 that lets students and workers personalize the lockscreen with photos from Google Photos or art gallery images. Chrome OS also lets users check the weather and music playing, as well as control pause, skip and play in a locked state.  
WebAuthn on Chrome OS devices is likely to be a welcome addition for students who use Chromebooks for remote learning as the COVID-19 pandemic rolls on. These days, the demand for laptops around the clock has forced many parents to buy a cheap laptop, and Chromebooks are a popular option compared to more expensive Windows laptops and macOS laptops. 
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Acer in January unveiled the Chromebook Spin 514 convertible laptop with a 14-inch full HD touchscreen, protected by Gorilla Glass, and powered by AMD’s new Ryzen 3000 C-Series mobile processors. 
At the higher end, Samsung trimmed some features to bring down the cost of its 2-in-1 Galaxy Chromebook. The Galaxy Chromebook 2 features a 13.3-inch QLED display with 1,920×1,080-pixel resolution and comes with an Intel 10th-gen Core i3-10110U or Celeron 5205U processors. The previous model featured a 4K AMOLED display and an Intel Core i5 processor.  More