Information Technology

A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords and other information from victims. Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts to distribute messages claiming to be related to payments, alongside an image posing as a PDF attachment that looks like it has information about the supposed transfer.

ZDNet Recommends

When the user opens this file, they’re connected to a malicious domain that downloads STRRAT malware onto the machine. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) The updated version of the malware is what researchers describe as “notably more obfuscated and modular than previous versions”, but it retains the same backdoor functions, including the ability to collect passwords, log keystrokes, run remote commands and PowerShell, and more – ultimately giving the attacker full control over the infected machine. As part of the infection process, the malware adds a .crimson file name extension to files in an attempt to make the attack look like ransomware – although no files are actually encrypted. This could be an attempt to distract the victim and hide the fact that the PC has actually been compromised with a remote access trojan – a highly stealthy form of malware, as opposed to a much more overt ransomware attack.

It’s likely that this spam campaign – or similar phishing campaigns – is still active as cyber criminals continue attempts to distribute STRRAT malware to more victims. Given how the malware is able to gain access to usernames and passwords, it’s possible that anyone who’s system becomes infected could see their email account abused by attackers in an effort to further spread STRRAT with new phishing emails. SEE: Ransomware just got very real. And it’s likely to get worse However, as the malware campaign relies on phishing emails, there are steps that can be taken to avoid becoming a new victim of the attack. These include being wary of unexpected or unusual messages – particularly those that appear to offer a financial incentive – as well as taking caution when it comes to opening emails and attachments being delivered from strange or unknown email addresses. Using antivirus software to detect and identify threats can also help prevent malicious emails from landing in inboxes in the first place, removing the risk of someone opening the message and clicking the malicious link.

MORE ON CYBERSECURITY More

President Joe Biden’s recent executive order on cybersecurity drew praise for addressing critical gaps in the government’s efforts to protect its digital assets, but lawmakers and experts are raising questions about one aspect of the order: the creation of a Cybersecurity Safety Review Board. The executive order establishes a review board “co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.” 

ZDNet Recommends

The board will be there to “ask the hard questions” according to the executive order and is modeled after the National Transportation Safety Board, which investigates airplane crashes and transportation incidents. The fine print of the executive order says Homeland Security Secretary Alejandro Mayorkas will work with the Attorney General Merrick Garland to create the board, which will look into any attacks “affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.” Both federal law enforcement officials and private sector cybersecurity experts will populate the board, with one of each serving as chair and deputy chair biennially. Within 30 days, Mayorkas has to send a report to Biden about who will be on the board, its scope, responsibilities, structure, “thresholds and criteria for the types of cyber incidents to be evaluated” as well as how they plan on forcing companies or individuals to comply with their investigation.  Democratic leaders in Congress expressed support for the effort but had a range of concerns they hoped would be addressed by Mayorkas and Garland once the idea was more fully sketched out.  Rep. Carolyn Maloney, chairwoman of the Committee on Oversight and Reform, told ZDNet that it is “critical for the federal government to respond quickly when a significant cyber event occurs.” 

But Maloney said the board had to walk a fine line of complying with the Federal Advisory Committee Act, which forces boards like this to be “objective and accessible to the public,” while also keeping the information it collects safe. “It is important that sensitive information be properly protected but it is also important that the board operate with transparency and in full compliance with ethics laws,” Maloney said. Other congressional leaders in cybersecurity echoed those remarks and raised more pressing concerns about the board’s ability to effectively address devastating attacks that now occur on a weekly basis.  Congressman Jim Langevin, who helped found the House Cybersecurity Caucus that he now co-chairs, said he was in support of the idea that the cyber review board was meant to help defenders understand major incidents better.  But as a member of the Cybersecurity, Infrastructure Protection, & Innovation subcommittee, he told ZDNet he was “seriously concerned about the trend toward larger, more frequent cyber incidents that may be too much for a review board to handle.”  “That’s why I support the creation of a Bureau of Cyber Statistics, so that we can examine incident data in aggregate and make more informed cyber risk management decisions,” Langevin said.  A congressional aide explained to ZDNet that some on Capitol Hill have questioned how the board could work like the National Transportation Safety Board, which has broad authority to investigate transportation incidents and can issue subpoenas.  It is still unclear what thresholds the cyber review board will use to decide which breaches or attacks to investigate and what power they will be given to compel organizations to hand over critical information that some may be reluctant to share.  “With the NTSB, they just show up with their badge and the entity has to produce anything the investigator wants. They don’t always need a subpoena or the court system to get what they want,” the congressional aide said.  “It’s so far outside of the existing legal systems and I think there’s a strong incentive to cooperate because what are your options otherwise?”

The aide added that the idea for an NTSB-like effort for cybersecurity incidents has long been floated on Capitol Hill because there is always interest in finding the root causes of attacks and potential mitigations.  But the NTSB deals with far fewer incidents than any cyber review board would and incidents often involve dozens, if not hundreds, of different organizations, some of which will not cooperate with federal law enforcement. The NTSB mostly interacts with airline companies and maintenance operators, whereas the review board would be trying to investigate entire software supply chains.  “There’s huge benefits to root cause analysis but in terms of getting access to the data, it’s quite extraordinary the powers that NTSB has in some respects. I don’t think that that’s necessarily applicable in a cyber context,” the aide said.  Anurag Lal, former director of the US National Broadband Task Force for the Federal Communications Commission under the Obama administration, expressed fear that the board will be “bogged down by bureaucracy as others have in the past” and be hamstrung by red tape while investigating cyber incidents that require quick responses.  The executive order was a step in the right direction to creating the processes needed to respond to cyberattacks, Lal explained, but he said a more comprehensive cyber response bill is needed to put laws in place governing how the US responds to attacks.  “While these are comparable boards, I believe the Cybersecurity Safety Review Board needs to act with much greater urgency than the NTSB. In the case of flight incidents, a great deal of time needs to be taken to thoroughly investigate. However, the nature of cyber-attacks requires us to act quickly, so this board will not have the luxury of time,” Lal said.  “The CSRB must be mandated to respond in an urgent, accelerated manner. This executive order addresses how we can respond, but now we need to push further and determine how we are going to go on the offensive to prevent these attacks from even happening.” Christopher Fielder, who spent years as a network and cryptographic systems technician in the US Air Force and as a security analyst contractor with the CIA, told ZDNet that too many cyber incidents are shrouded in secrecy, resulting in numerous incidents that could have been prevented earlier had information been shared accordingly.  Fielder said the review board was a good idea because it could quickly identify underlying issues and establish a federal-level baseline of transparency around future compromises and how to learn from them.  “Using this postmortem approach for breaches can drive the development of standards based around historic evidence. It’s important to understand, however, that for a review board such as this to be effective it is going to require significant buy-in from both the private and public sectors,” Fielder said.  “We are going to have to feel that this will be a board that is not a regulatory body intended to punish or place blame on those who are affected by compromises, but instead designed to foster the sharing of knowledge and best practices that are discovered from incidents that are reviewed.”  The board would be a good first step but cybersecurity is still like the Wild West, Fielder explained, with many organizations protecting themselves the best they can with the resources they have available.  Post-incident recommendations often differ between cybersecurity companies and researchers, and Fielder said a board like this could help reconcile differing opinions on an incident’s root cause or next steps so that agreed-upon and trusted recommendations can be made.  Sounil Yu, chief information security officer at JupiterOne, said the best version of the review board would include “blameless postmortems” that produce “meaningful lessons learned that reduce the likelihood of repeated failure events.” “There are great examples of security-oriented postmortems (e.g., Coinbase and FireEye) that are highly instructive and can serve as a model for what a Cyber Review Board investigation report might look like,” Yu said.  A number of cybersecurity experts praised the review board idea for similar reasons but questioned what would happen in instances where it was clear the attack was leveraged by a state actor, like the most recent attacks attributed to Russia and China.  “The NTSB didn’t take the lead in the 9/11 investigations because it was clear that the cause was not due to safety issues,” Yu added. “Safety incidents are often handled very differently than security incidents.”  More

The Federal Bureau of Investigation (FBI) has linked the Conti ransomware group to at least 16 attacks aimed at disrupting healthcare and first responder networks in the United States.  

The targets identified include 911 dispatch carriers, law enforcement agencies, and emergency medical services — all of which have been attacked over the past year as medical services struggled to manage the COVID-19 pandemic. According to the FBI’s flash advisory (.PDF), Conti has been connected to at least 400 cyberattacks against organizations worldwide, and 290, at minimum, are based in the US.  In what has become a popular tactic for ransomware operators to increase the chances of a payout, attackers will infiltrate a victim’s network, steal confidential files, and then launch ransomware. If blackmail demands — usually made in cryptocurrency such as Bitcoin (BTC) — are not met, organizations then face the prospect of their data being published or sold via a leak site.  The Conti ransomware group is one of dozens of double-extortion criminal collectives that operate leak sites, having joined the likes of Sodinokibi, Nefilim, and Maze last year.  Conti may use stolen credentials, RDP, or phishing campaigns to obtain initial access to a network. According to the FBI, the group may also use Cobalt Strike, Mimikatz, Emotet, and Trickbot alongside Conti ransomware during attacks.  “If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers,” the advisory reads. “The actors may also communicate with the victim using ProtonMail, and in some instances, victims have negotiated a reduced ransom.”

The FBI does not encourage victim organizations to pay up, as decryption keys are not guaranteed to work and each successful extortion attempt only encourages ransomware-related criminal activity.  However, whether or not a victim has paid, the FBI urges transparency to law enforcement agencies when ransomware incidents occur. When it comes to Conti specifically, the FBI has requested boundary logs showing links to IP addresses, cryptocurrency wallet information, any decryptor files available, as well as encrypted file samples,  Recently, the finger has been pointed at Conti for a debilitating ransomware attack on Ireland’s Health Service Executive (HSE) on May 14. Officials say that a ransomware demand of $20 million will not be paid, and while Conti has released an — unverified — decryption tool to the service, the group has still threatened to sell or leak HSE records allegedly stolen during the attack.  Dublin’s High Court has issued an injunction against Conti, under “persons unknown,” in an effort to stop the spread of stolen information. At the time of writing, staff are still unable to access email, there are delays with issuing birth, death, and marriage certificates. The COVID-19 vaccination program is rolling out as normal but there may also be delays in receiving test results.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A former intelligence analyst for the US Federal Bureau of Investigation (FBI) has been indicted for stealing confidential files over a period of 13 years. 

Kendra Kingsbury, of Dodge City, Kansas, has been charged by a federal grand jury in a two-count, unsealed indictment made public on Friday. The US Department of Justice (DoJ) said that between June 2004 and December 2017, the 48-year-old removed and then kept national security, secret, and confidential documents at her home.  Classified material allegedly removed from FBI systems included documents relating to cybersecurity threats, terrorism, intelligence bulletins, open FBI investigations, human operations, and files describing the “technical capabilities of the FBI against counterintelligence and counterterrorism targets.” In addition, some of the material specifically related to al Qaeda members suspected “associates” of Osama Bin Laden and emerging terrorist groups in Africa.  As an FBI intelligence analyst for over 12 years in the law enforcement agency’s Kansas division, Kingsbury had been trained in the handling of sensitive material and non-disclosure practices. During her tenure, the intelligence agent was assigned to squads including those focused on counterterrorism, drug trafficking, and gang crime.  “The defendant was not authorized to remove and retain these sensitive government materials, including the national defense Information and classified documents,” the indictment reads. “Nor did the defendant have a “need to know” in most, if not all, of the information contained in those materials.”

Kingsbury was suspended in 2017 and has now been arrested and has made her initial court appearance in the District of Kansas. The former analyst is being charged with two counts of the “willful retention of national defense information.”  “The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing,” said Alan Kohler, Jr. Assistant Director of the FBI’s Counterintelligence Division. “The defendant, who’s well trained in handling classified information, put her country’s sensitive secrets at risk. The FBI will go to great lengths to investigate individuals who put their own interests above US national security, including when the individual is an FBI employee.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Several cryptocurrency mining operators reportedly have halted their activities in China amidst increasing threats of a government crackdown. A senior official had called for the need to mitigate financial risks and more closely monitor activities on business platforms.  Chinese vice premier Liu He said late-Friday the country’s financial infrastructure must remain robust and guard against disruptions. Doing so would require the use of monetary policies to mitigate financial risks, noted Liu, who was speaking at the 51st meeting of the Financial Stability and Development Committee, which he chaired. In stressing the need to identify potential financial threats, he outlined the need to bolster the monitoring of business platforms that facilitated financial activities as well as crack down on Bitcoin mining and trading transactions. The mention, though, was brief and he provided no further details on possible regulations. 

Read this

Why Singapore doesn’t need Bitcoin

The island will get its first Bitcoin ATM in March, but does it really need another currency which main appeal is the anonymity it offers, especially since Singapore is reportedly susceptible to money laundering?

Read More

However, his statement marked the first time a top Chinese government official had referred specifically to crypto mining. It comes just days after three state-backed financial groups in China issued a joint statement warning against the use of cryptocurrencies as payment and reminded industry players that digital currencies should not be used in any financial activities in the country.   Liu’s remarks also prompted several crypto mining operators to halt their activities in China and look overseas for alternative mining sites, according to a Reuters report. Crypto exchange Huobi’s subsidiary Huobi Mall said via a Telegram statement Sunday that it had suspended its local businesses and was in discussions with overseas service providers for the “exports of mining rigs”. It told customers “not to worry and calm down”.  Fellow crypto mining operator HashCow said it would stop purchasing new BItcoin rigs and would refund customers that had ordered compute power but had not begun mining. The company owns 10 mining sites in China, according to Reuters. BTC.TOP also halted its activities in China, with its founder Jiang Zhuoer pointing to regulatory risks. In a post on microblogging platform Weibo, Jiang said the crypto mining pool in future would operate mainly in North America as Chinese authorities clamped down on mining activities. 

He further noted that China was likely to lose its crypto computing power to foreign markets in future, with mining pools in the US and Europe taking dominance.  Researchers last month cautioned that, unless more stringent regulations were implemented, China’s crypto mining could undermine the world’s sustainability efforts. The report estimated that the country accounted for more than 75% of Bitcoin’s hashing power or calculations, fuelled by China’s proximity to manufacturers of the required hardware and access to cheap power.  While it had outlawed financial activities involving cryptocurrencies, the Chinese government had created its own alternative that is commonly described as the digital version of the yuan or renminbi (RMB). Called Digital Currency Electronic Payments (DCEP), the digital yuan was developed on blockchain and cryptographic technologies and might later support near-field communication (NFC) capabilities, to allow offline money transfers between two digital wallets that were within proximity.  US Federal Reserve Chairman Jerome Powell said last week the government agency would be more involved in cryptocurrencies and mooted creating its own digital currency in future. He added that the Federal Reserve would soon release a discussion paper that looked at the implications of digital payments, with “a particular focus on the possibility of issuing a US central bank digital currency”. China’s threats of a potential crackdown, alongside Elon Musk’s detour on accepting Bitcoin as a payment option, led to a tumultuous week for the cryptocurrency. It shed more than 10% in value, dipping to its current hold at $35,598. RELATED COVERAGE More

The team behind the seL4 is no longer under the umbrella of Australia’s Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Data61, with members being shifted from microkernels to supporting artificial intelligence. “[CSIRO’s Data61] dismantles Trustworthy Systems (TS), the team that shook the scientific world with the first correctness proof of an OS, #seL4. TS staff to reallocate to AI projects or sacked,” professor Gernot Heiser, chairman of the seL4 Foundation, said on Friday. “Claims by [Data61] of research excellence sound hollow. I challenge you to identify work in Data61 eclipsing the TS team and #seL4. Yet it’s easy to identify highly incremental work in Data61 that seems safe.” In 2009, the security of seL4 was mathematically proven. Heiser added that total disaster was avoided thanks to the seL4 Foundation being established last year. A spokesperson for CSIRO said seL4 was a “mature area of technology” that the organisation had invested in over a number of years, and that the organisation would remain as a foundation member so it could “pivot” away from its work. “In order to support the nation in the most important areas, CSIRO will no longer maintain the existing Trustworthy Systems Group. The Trustworthy Systems group is focused on the area of formal methods for design, implementation, and verification of software systems,” CSIRO said.

“We are strengthening our focus on areas such as cybersecurity, industry 4.0 and natural hazards/environmental analytics, as well as emerging areas such as Trustworthy AI.” The spokesperson added Data61 was following new goals with money being put towards AI, “reinventing” how science would be done using digital technologies, and “putting digital science and technology at the heart of Australia’s recovery and resilience”. “As a result of the changes, there will be approximately 100 positions created including 30 new post doctorate positions,” the spokesperson said. “In the short term up to 70 people in Data61 will be potentially impacted, however, the number will likely be less as we work to redeploy people throughout the organisation. Within two years, given the new positions, we expect headcount to be higher than today.” The research conducted by Trustworthy Systems will continue at the University of New South Wales, Heiser said, but was scathing of the decision taken. “If this shining example of Aussie innovation no longer has a place in Data61, then what is the organisation good for? I find this development highly upsetting not only due to its impact on my own work, our agenda for making the world’s computing systems secure, but also as a taxpayer who is funding this organisation,” he wrote.”I am no longer convinced that my tax dollars are well spent there.” Related Coverage More

Image: Getty Images
Three months after global aviation industry IT supplier SITA fell victim to a cyber attack, Air India has disclosed the incident resulted in the data of around 4.5 million of its passengers being stolen. The breach involved personal data spanning almost 10 years, from 26 August 2011 to 3 February 2021, Air India said in a statement [PDF]. The stolen information included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card data. No frequent flyer passwords or CVV/CVC data were stolen, however, as this information was not held by SITA. SITA, an information technology and communications company, is the data processor of Air India’s passenger service system.     While the SITA cyber attack was first discovered at the end of February, Air India said it only understood the severity of the cyber attack last month. Since then, Air India has been conducting investigations, securing compromised servers, engaging external specialists, notifying and liaising with credit card issuers, and resetting passwords of the Air India FFP program, it said. When the cyber attack was disclosed, SITA said Star Alliance and One World airlines were affected. Alongside Air India, this included Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Air New Zealand, Cathay Pacific, Singapore Airlines, among others. In March, Singapore Airlines disclosed 580,000 of its frequent flyer members were compromised in the cyber attack.

According to SITA, the vendor serves around 90% of the world’s airlines, which amounts to 2,800 customers including airlines, airports, and government agencies. Over the weekend, a handful of airlines were forced to cancel or delay flights after Sabre suffered a global IT outage. Virgin Australia, American Airlines, and Alaska Airlines were among the airlines affected. Sabre blamed the outage on its hardware provider, Dell EMC. “Dell/EMC has confirmed it experienced a hardware redundancy failure that impacted Sabre’s system, including PSS and check-in,” Sabre told ZDNet. “The issue has been resolved. Dell/EMC is working to understand why the failure occurred.”Related Coverage More

TPG Telecom said on Monday morning that it had the data of two customers accessed on its legacy TrustedCloud hosting service. It added it did not believe any other customers were impacted by the breach. “The incident was isolated to the TrustedCloud service. The TrustedCloud service is hosted in a standalone environment that is separate from our telecommunications networks and other systems,” the company told the ASX. “The incident has not impacted customers from any of our other brands, products or services.” TPG Telecom gained TrustedCloud when it purchased IntraPower in 2011, with the service being “in the process of being decommissioned” and set to disappear in August. The telco said the service had only a “few” remaining customers. “We have introduced measures to improve the security of the TrustedCloud service,” TPG said. “Although we are confident this incident has not impacted our other environments, we have also increased the cybersecurity defences across our entire business.” Earlier this month, the Australian Department of Parliamentary Services has said its March outage was a result of a deliberate choice to shut down its legacy mobile device management (MDM) system after it saw an attempted intrusion on the parliamentary network.

“The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said. “To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.” The legacy MDM system remains in use in a limited capacity.The Australian Signals Directorate said it knew who conducted the attack, but would not say who. Related Coverage More