Information Technology

A group of Iranian hackers with a history of attacking academic institutions have come back to life to launch a new series of phishing campaigns, security firm Malwarebytes said today.

The new attacks were timed to coincide with the start of the new academic years when both students and university staff were expected to be active on university portals.
The attacks consisted of emails sent to victims. Known as “phishing emails,” they contained links to a website posing as the university portal or an associated app, such as the university library.
The websites were hosted on sites with lookalike domains, but in reality, collected the victim’s login credentials.
Attacks linked to Silent Librarian group
Malwarebytes says the attacks were all orchestrated by the same group, known in cyber-security circles under its codename of Silent Librarian.
The members of this group were indicted in the US in March 2018 for a long string of attacks against universities from all over the globe, dating back as far as 2013.
According to the US indictments, the hackers gained access to university portals from where they stole intellectual property or limited-release academic work, which they later re-sold on their own web portals (Megapaper.ir and Gigapaper.ir).
However, despite the US indictment, the hackers remained at large in Iran and mounted subsequent attacks.
These attacks usually took place each fall, right before the new school year. Their 2018 campaign was documented in a Secureworks report, while Proofpoint spotted last year’s campaign.
Group is now hosting attack servers in Iran
But compared to the past attacks, the 2020 campaign is different.
Malwarebytes said this time around, Silent Librarian hosted some of its phishing sites on Iranian servers.
“It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them. However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran,” the US security firm said.
Below is a list of universities the group targeted, along with the phishing sites they used, in case students and university staff may want to review any past emails.
Phishing site
Legitimate site
Target
library.adelaide.crev.me
library.adelaide.edu.au
The University of Adelaide Library
signon.adelaide.edu.au.itlib.me
library.adelaide.edu.au
The University of Adelaide Library
blackboard.gcal.crev.me
blackboard.gcal.ac.uk
Glasgow Caledonian University
blackboard.stonybrook.ernn.me
blackboard.stonybrook.edu
Stony Brook University
blackboard.stonybrook.nrni.me
blackboard.stonybrook.edu
Stony Brook University
namidp.services.uu.nl.itlib.me
namidp.services.uu.nl
Universiteit Utrecht
uu.blackboard.rres.me
uu.blackboard.com
Universiteit Utrecht
librarysso.vu.cvrr.me
librarysso.vu.edu.au
Victoria University
ole.bris.crir.me
ole.bris.ac.uk
University of Bristol
idpz.utorauth.utoronto.ca.itlf.cf
idpz.utorauth.utoronto.ca
University of Toronto
raven.cam.ac.uk.iftl.tk
raven.cam.ac.uk
University of Cambridge
login.ki.se.iftl.tk
login.ki.se
Karolinska Medical Institutet
shib.york.ac.uk.iftl.tk
shib.york.ac.uk
University of York
sso.id.kent.ac.uk.iftl.tk
sso.id.kent.ac.uk
University of Kent
idp3.it.gu.se.itlf.cf
idp3.it.gu.se
Göteborg universitet
login.proxy1.lib.uwo.ca.sftt.cf
login.proxy1.lib.uwo.ca
Western University Canada
login.libproxy.kcl.ac.uk.itlt.tk
kcl.ac.uk
King’s College London
idcheck2.qmul.ac.uk.sftt.cf
qmul.ac.uk
Queen Mary University of London
lms.latrobe.aroe.me
lms.latrobe.edu.au
Melbourne Victoria Australia
ntulearn.ntu.ninu.me
ntulearn.ntu.edu.sg
Nanyang Technological University
adfs.lincoln.ac.uk.itlib.me
adfs.lincoln.ac.uk
University of Lincoln
cas.thm.de.itlib.me
cas.thm.de
TH Mittelhessen University of Applied Sciences
libproxy.library.unt.edu.itlib.me
library.unt.edu
University of North Texas
shibboleth.mcgill.ca.iftl.tk
shibboleth.mcgill.ca
McGill University
vle.cam.ac.uk.canm.me
vle.cam.ac.uk
University of Cambridge More

Photo: Tom Foremski
Northern California-based startup Accurics has raised $20m in seed and Series A funding, mostly from Intel Capital, for improving the security of cloud-native applications with a self-healing approach. 
Accurics ensures that the infrastructure code supporting developers creating cloud-native applications has no security risks and is able to actively plug future security threats.

“There is a big shift to cloud-native applications which risks outpacing the security measures needed. We can programmatically mitigate security risks in the Cloud through Infrastructure as Code — before provisioning, allowing developers to concentrate on app functionality,” said co-founder and CEO Sachin Aggarwal.
He said that raising money during the COVID-19 lockdown and pandemic wasn’t a problem but that everything had to be done via video with no face-to-face meetings. 
“Our investors appreciate that COVID-19 has sped up the move to cloud native applications as companies beef up their e-commerce operations and supporting apps,” said Aggarwal.
The rush to the cloud is outpacing the cyber-security needed for safe deployment — this is the gap that Accurics is targeting. 
Accurics’ team of about 25 people has been working from home-based offices and has been able to create the foundation of Accurics’ self-healing cloud technology in just six months.
A webinar “The Future of Cloud Native Security is Self-Healing” is planned for November 5 at 10am PST: https://bit.ly/3npypYV.

Tech Earnings More

Image: Zoom
Video conferencing platform Zoom announced today plans to roll out end-to-end encryption (E2EE) capabilities starting next week.
E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants.
These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won’t be able to access or intercept any ongoing E2EE meetings.
Support for E2EE calls will first be part of Zoom clients to be released next week. To use the new feature, users must update theri clients next week and enable support for E2EE calls at the account level.
This green shield will contain a lock if E2EE is active. If the lock is absent, Zoom will use its default AES 256-bit GCM encryption scheme, which the company uses to secure current communications, but which the company can also intercept.

However, the feature won’t work if it’s not also enabled by conference hosts, which also have options at their disposal to limit calls only for users with E2EE enabled at their account level.
Once enabled, a green shield will be shown in the top-left corner of all Zoom conferences if E2EE is active.

Image: Zoom
Zoom said next week’s E2EE rollout is part of a four-stage rollout process that will complete in 2021.
“In Phase 1, all meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms,” Zoom said today.
The company said E2EE calls would support up to 200 participants, and the feature will be made available to all users, for both paid and free accounts.
Zoom promised support for E2EE encrypted calls back in May when the company faced a rash of criticism because of its weak security posture. More

Emergency warning red and blue roof mounted police LED blinker light bar turned on
Getty Images/iStockphoto
German authorities have raided the offices of FinFisher, a German software company that makes surveillance tools, accused in the past of providing software to oppressive regimes.
The raids took place earlier this month, on October 6 and October 8, and were ordered by the Munich Public Prosecutor’s Office.
Raids took place at locations across Germany and Romania. This included 15 properties (business premises and private apartments) around Munich and a company connected to FinFisher located in Romania, according to a spokesperson from the Munich Public Prosecutor’s Office.
The raids are part of an investigation that began last year after a complaint [PDF] filed by Netzpolitik with Munich prosecutors in the summer of 2019. Other signatories on the complaint included advocacy groups such as the Society for Freedom Rights, Reporters Without Borders, and the European Center for Constitutional and Human Rights.
The signatories argued that FinFisher’s malware had been installed on the devices of activists, political dissidents, and regular citizens in countries with oppressive regimes, countries to which FinFisher would have been prohibited from selling its software.
FinFisher denied accusations and successfully sued the German blog, having it take down its original article; however, the criminal complaint had to run its course.
Today’s raids are part of this legal process where German authorities are gathering evidence in relation to the claims made in the complaint, the Munich Public Prosecutor’s Office told ZDNet.
FinFisher did not return an email seeking comment before this article’s publication.
The company’s products are usually detected as malware by most antivirus products, including major products like Windows Defender.
FinFisher surveillance tools are available for Windows, iOS, and Android. In the past, cyber-security firms have spotted FinFisher infections in more than 20 countries.
FinFisher markets its tools as meant for law enforcement investigations and intelligence agencies. Known customers include the German federal police and Berlin police. However, the company’s tools have also been found on the devices of government critics and journalists in countries like Ethiopia, Bahrain, Egypt, and Turkey — countries where surveillance tools exports are prohibited.
German news agency Tagesschau, which first reported the raids today, claims FinFisher had been using satellite companies in other countries to evade Germany’s stricter export restrictions on surveillance software. More

The number of ads on hacking forums selling access to compromised IT networks has tripled in September 2020, compared to the previous month.

In a report published today and shared with ZDNet, cyber-security firm KELA said it indexed 108 “network access” listings posted on popular hacking forums last month, collectively valued at a total asking price of around $505,000.
Of these, KELA said around a quarter of the listings were sold to other threat actors looking to attack the compromised companies.
The “initial access” market
These type of ads have been posted on hacking forums for years, but for the most part, they’ve been a niche in the “initial access” market, with most cybercrime groups opting to buy access to compromised networks via criminal marketplaces selling RDP access (called “RDP shops”) or from malware botnet operators (known as Malware-as-a-Service, or “bot installs”).
However, beginning with the summer of 2019, a large number of vulnerabilities in major networking products have been disclosed. This included vulnerabilities in Pulse Secure and Fortinet VPN servers, Citrix network gateways, Zoho computer fleet management systems, and many others.
Threat actors were quick to exploit these vulnerabilities, compromising devices en-masse. Many of these systems had to be monetized in some way or another.
While some “initial access brokers” partnered with ransomware gangs, many didn’t have the deep connections and the needed reputation in a closed cybercrime economy to establish these partnerships from the get-go. Instead, these brokers began selling their compromised networks on popular hacking forums like XSS, Exploit, RAID, and others.
But networking devices were only a part of the listings on these forums.
Many brokers also sold access to compromised RDP or VNC endpoints. Most of these systems are compromised via brute-force attacks launched with IoT botnets, while others are bought from classic RDP shops, have their access expanded from user to admin levels, and then resold on forums at higher prices.
Some networks sold for tens of thousands of US dollars
Over the past year, these ads have been steadily increasing in frequency and the price for access to hacked networks.
Based on its monitoring, KELA said that the average price for a compromised network sold on hacker forums is around $4,960, with the price range going from as low as $25 to as much as $102,000.
KELA product manager Raveed Laeb said the price for a “network access” ad usually varies depending on factors such as the company value and the level of privilege.
Obviously, networks with a compromised admin account are valued more than networks where the compromised account only has regular user privileges. However, this doesn’t seem to dissuade the seller, as some threat actors will only be looking for an initial foothold, having their own capabilities of escalating access.
In some cases, it’s the initial access brokers doing the privilege escalation, with the perfect example being a seller who doubled their listing’s price by gaining access to an admin account after posting an initial version of their ad.

Image: KELA
Another interesting observation is that initial access brokers tend to use the “value” of a company rather than the size of its network when deciding on the price, citing statistics like annual revenue rather than the number of endpoints.
This illustrates that initial access brokers are often tailoring their ads for ransomware gangs, where a victim’s annual revenue and profits are used to negotiate the ransom demand, rather than the size of the network, which is usually less significant as a well-placed ransomware attack can often cripple a company even without locking thousands of its computers.
KELA, which analyzed some of the highest-priced ads posted in September, said it found brokers peddling access to a major maritime and shipbuilding company (sold for $102,000), a Russian bank ($20,000), a Turkish aviation firm ($16,000), and a Canadian franchise company ($10,600), with access for this victim’s network being sold in just a few hours.
A larger “initial access” market is hidden in the shadows
However, KELA says that hacking forums like the ones it’s tracking only provide a summary view of the entire “initial access” market, which it’s much, much larger.
Initial access brokers also operate in closed circles, such as private RDP shops, via encrypted communications with selected clients, or via Malware-as-a-Service platforms, such as malware botnets.
Tracking sales and victims via these mediums is impossible, but the glimpse security firms are getting by observing sales on public hacking forums shows just how lucrative this market can be and how easily a hacked RDP or networking equipment can find its way from the hands of a low-level attacker running some publicly-shared exploit to professional malware gangs operating ransomware or POS malware. More

A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign which has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become a money-making tool for cyber criminals.
Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a ‘well-established financial crime group’ which has conducted some of the longest running hacking campaigns.
The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.
For example, in just one week, Mandiant observed concurrent campaigns targeting pharmaceuticals, shipping and logistics industries in both North America and Europe.
But despite attacks targeting a wide variety of organisations around the world, many of the initial phishing campaigns are still customised on a target by target basis for the maximum possible chance of encouraging a victim to download a malicious Microsoft Office attachment which says macros must been enabled.
This starts an infection chain which creates multiple backdoors into compromised systems, as well as the ability to grab admin credentials and move laterally across networks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
FIN11 campaigns initially revolved around embedding themselves into networks in order to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.
With finances being the focus of the group, it’s likely FIN11 sold this information to other cyber criminals on the dark web, or simply exploited the details for their own gain.
But now FIN11 is using its extensive network as means of delivering ransomware to compromised networks, with the attackers favouring Clop ransomware and demanding bitcoin to restore the network.
Put simply, this shift in tactics is all about making as much money as possible – and ransomware has become a quick and easy way for cyber criminals to make money from a wider variety of targets.
“FIN11 has likely shifted their primary monetization method to ransomware deployment because it is more profitable than traditional methods such as deploying POS malware,” Genevieve Stark, analyst at Mandiant Threat Intelligence told ZDNet.
“Ransomware also increases the potential victim pool since it can be deployed at nearly any organization while POS malware is only effective against certain targets,” she added.
In an effort to blackmail victims into paying the ransom, some ransomware gangs have taken to using their access to networks to steal sensitive or personal data and threaten to leak it if they don’t receive payment for the decryption key – and FIN11 have adopted this tactic, publishing data from victims who don’t pay.
“FIN11’s adoption of data-theft and extortion to increase leverage on victims is further evidence that their motivations are exclusively financial,” said Stark.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Based on analysis of Russian language in FIN11’s files, researchers say that this purely financially motivated operation is likely operating out of one of the Commonwealth of Independent States – and it’s highly likely the ransomware attacks will continue.
“We anticipate that FIN11 will continue to conduct widespread phishing campaigns with consistently evolving delivery tactics for the foreseeable future,” said Stark.
“FIN11 will probably continue conducting ransomware and data theft extortion for the immediate future, given many organizations acquiesce to extortion demands,” she added.
The attacks have been prolific and successful, but organisations can avoid falling victim to campaigns by FIN11 and other financially motivated groups by following common security advice and applying patches to prevent attackers using known exploits to gain a foothold in networks.
And with FIN11 and other hackers exploiting on Microsoft Office macros to conceal malicious payloads, it’s recommended that macros are disabled to stop them being used as a starting point for attacks.
READ MORE ON CYBERSECURITY More

Google has released details of a high-severity flaw affecting the Bluetooth stack in the Linux kernel versions below Linux 5.9 that support BlueZ.
Linux 5.9 was just released two days ago and Intel is recommending in its advisory for the high-severity Bluetooth flaw, CVE-2020-12351, to update the Linux kernel to version 5.9 or later. 

“Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access,” Intel notes in its advisory for CVE-2020-12351. BlueZ is found on Linux-based IoT devices and is the official Linux Bluetooth stack.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Intel says the BlueZ project is releasing Linux kernel fixes to address the high-severity flaw, as well as fixes for two medium-severity flaws, CVE-2020-12352 and CVE-2020-24490. 
CVE-2020-12352 is due to improper access control in BlueZ that “may allow an unauthenticated user to potentially enable information disclosure via adjacent access.” CVE-2020-24490 refers to BlueZ’s lack of proper buffer restrictions that “may allow an unauthenticated user to potentially enable denial of service via adjacent access.”
Andy Nguyen, a security engineer from Google, reported the bugs to Intel.
Researchers from Purdue University last month claimed that BlueZ was also vulnerable to BLESA (Bluetooth Low Energy Spoofing Attack), along with the Fluoride (Android), and the iOS BLE stack. 
Google has detailed the bugs on the Google Security Research Repository on GitHub. Nguyen’s description of the BleedingTooth vulnerability sounds more serious than Intel’s write-up. 
Nguyen says it’s a “zero click” Linux Bluetooth Remote Code Execution flaw and has published a short video demonstrating the attack using commands on one Dell XPS 15 laptop running Ubuntu to open the calculator on a second Dell Ubuntu laptop without any action taken on the victim’s laptop.  
[embedded content]
BlueZ contains several Bluetooth modules including the Bluetooth kernel subsystem core, and L2CAP and SCO audio kernel layers. 
According to Francis Perry of Google’s Product Security Incident Response Team, an attacker within Bluetooth range who knows the target’s Bluetooth device address (bd address) can execute arbitrary code with kernel privileges. BleedingTooth affects Linux kernel versions 5.8 and higher but not Linux 5.9 and higher.   
“A remote attacker in short distance knowing the victim’s bd address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well,” Perry writes. 
SEE: Network security policy (TechRepublic Premium)
Google has also published proof-of-concept exploit code for the BleedingTooth vulnerability.  
Google plans to publish further details about BleedingTooth shortly on the Google Security Blog. 
Intel recommends installing the following kernel fixes to address these issues if a kernel upgrade is not possible.  More

IBM is announcing a bevy of updates to Cloud Pak for Security, its platform for tackling cybersecurity threats across multicloud and hybrid environments. 

Launched last year as the foundation of IBM’s open security strategy, Cloud Pak for Security is designed to glean threat information and insights from various sources without having to move data. The system leverages IBM’s investment in Red Hat, including Open Shift, and is designed specifically to unify security across hybrid cloud environments.
Over the last year IBM has expanded the capabilities within Cloud Pak for Security to address some of the key components of threat management — such as detection, investigation and response — using AI and automated workflows.  
IBM is now rolling out new capabilities that aim to extend the platform even further, including a new integrated data security hub that promises to bring data security insights directly into threat management and security response platforms. IBM posits that data security has historically been siloed from threat management, focused on policy and compliance rather than integrated into threat detection and response.
With integrated data security, IBM said it can connect these previously siloed functions and offer security and response teams greater visibility into data-level security.
In addition to the data security hub, IBM is also announcing pre-built connectors for five third-party threat intelligence feeds, and dedicated service offerings that aim to help Cloud Pak customers get up and running on the the platform.
“With these updates, Cloud Pak for Security will include 1 access to six threat intelligence feeds, 25 pre-built connections to IBM and third-party data sources, and 165 case management integrations which are connected through advanced AI to prioritize threats, and automation playbooks to streamline response actions for security teams,” IBM said in a press release. “With the new capabilities, Cloud Pak for Security has become the first platform in the industry to connect data-level insights and user behavior analytics with threat detection, investigation and response.” More