Information Technology

Image: CNET/CBS Interactive
Toyota Motor Corporation Australia (TMCA) announced on Tuesday it was partnering with Telstra to bring LTE connectivity to “select TMCA vehicles” in late 2020.
The connectivity will initially be used for “new safety and security services designed to provide customers with additional peace of mind”, the companies said.
Details on the functionality are otherwise scant, with the platform used being built by Toyota and Japanese telco KDDI.
At the start of last year, KDDI announced they would use AT&T to provide LTE connectivity to Toyota and Lexus vehicles in the US, which would allow for Wi-Fi hotspots within cars, remote start and climate control, diagnostics, safety connectivity, and the ability to download areas to navigation systems.
Earlier on Tuesday, Minister for Home Affairs Peter Dutton announced that Telstra CEO Andy Penn would chair the Industry Advisory Committee, a permanent committee that would advise the government on cyber matters, and the implementation of the 2020 Cyber Security Strategy.
Penn was the chair of the temporary industry advisory panel that provided 60 recommendations to feed into the strategy, which included the creation of the permanent committee.
Joining Penn will be deputy chair of the committee and chair of AUCloud Cathie Reid; CSO of NBN Darren Kane; CEO of Northtop Grumman Australia Chris Deeble; NextDC, Megaport, and Superloop founder Bevan Slattery; CEO of Cyber Security Cooperative Research Centre Rachael Falk; CEO of Macquire Telecom Group David Tudehope; trust and risk business leader at PwC Australia Corinne Best; NAB group executive for technology and enterprise operations Patrick Wright; and former Labor foreign minister and now chair of University of Western Australia Public Policy Institute Professor Stephen Smith.
Related Coverage More

Secretary of Australia’s Department of Home Affairs Mike Pezzullo has shared his concerns on Facebook’s plans to create a brand new online space for nefarious activity.

“We are particularly concerned about Facebook’s plans to go to end to end encryption of their entire platform to create, in effect, the world’s biggest dark web,” he told Senate Estimates on Tuesday.
Pezzullo joined members of the Australian Federal Police(AFP) at the Senate Estimates, who detailed that there had been an increase of child sex offenders exploiting “both the clear web and the dark web” during the COVID-19 pandemic.
See also: NZ Privacy Commissioner labels Facebook as ‘morally bankrupt pathological liars’
The secretary said the AFP and his department were very concerned with the amount of traffic that had flipped over to the dark web.
“Unlike the challenge that’s being dealt with by this Parliament in relation to encryption — at least with encryption you know where the devices are, you know where the server is, you can geolocate typically the administrator — the dark web … you start to lose the trace of where the devices are, where the IP addresses are, who is logging into these abhorrent sites, where the administrator is, where the server is,” Pezzullo said.
“At some point, we’ll be chasing so much ground that it will be almost impossible for the deputy commissioner and his colleagues to do anything other than, to use a colloquial phrase, whack-a-mole. All the operations that are currently conducted essentially to run in effect virtual controlled operations and undercover operations, you’ll have so many of them that the adversary will simply be moving from platform to platform, server to server, network to network.”
He pointed to the recently announced cybersecurity strategy, however, as a resource for providing his department and its law enforcement agencies with the mandate to “attack” the dark web.
“We’re working very closely with the AFP and other agencies [on] how do we attack the dark web, how do we strip back the legitimate anonymity that on occasions, through VPNs and the like, is entitled and is available for use in relation to your privacy. What you’re not entitled to is then to use that anonymisation to hide these abhorrent criminal networks such that they basically disappear off the grid,” he continued.
“The dark web is particularly pernicious and concerning from this point of view because it’s getting harder and harder to defeat the anonymisation capability and they can literally just disappear off the grid.
“It will almost get to a point where we don’t know where these people are.”
Pezzullo was asked if his department has thought of introducing a banking-style know your customer initiative where the burden would be on the tech giants to validate that a user is who they say they are.
In response, the secretary pointed to the Digital Platforms work underway by the Australian Competition and Consumer Commission and took the question on notice, highlighting again that his concern was with the activities conducted on encrypted platforms.
AFP Deputy Commissioner Brett Pointing also told the committee that there was currently work being done around protecting personnel from being exposed to the material they see to prosecute offenders.
“No one should have to see [it],” he said. “So we’re actually doing a lot of work in the IT space to try and develop classification systems that limit the amount of time that our police are exposed to it.”
RELATED COVERAGE More

Image: Kyle Dias
The UK government said today that Russian hackers were preparing cyber-attacks against the organizers of the Tokyo Olympics and Paralympic Games that were set to take place this summer in Japan before they were postponed to next year due to the ongoing COVID-19 pandemic.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Russian activity involved reconnaissance operations, according to a press release from the UK National Cyber Security Centre (NCSC).
Targets included the Games’ organizers, logistics services, and sponsors, the UK government said in a separate press release.
“The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless,” said UK Foreign Secretary Dominic Raab.
“We condemn them in the strongest possible terms.”
UK authorities believe Russian hackers intended to sabotage the Olympic Games, similar to the cyber-attacks they carried out against the organizers of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, South Korea.
In February 2018, Russian hackers deployed the OlympicDestroyer malware that crippled web servers during the opening ceremony of the 2018 Winter Olympics.
The attacks were carried out because the International Olympic Committee had banned Russian athletes from participating at the event under the Russian flag, citing a state-sponsored doping program.
The same ban, originally imposed for the Rio 2016 Summer Olympics, has also been extended to the Tokyo Olympics this year, with Russian athletes being banned from competing under the Russian flag again.
Now, UK officials say that Russia appears to have been preparing similar attacks to sabotage the 2020 Olympics as well.
UK officials said that responsible for these planned attacks was a Russian hacking group known as Sandworm, the same group behind the OlympicDestroyer destructive attacks at the Pyeongchang Olympics.
Sandworm hackers charged in the US
The UK government’s statement coincided with the announcement of formal charges against six Sandworm members by the US Department of Justice earlier today.
US officials charged Sandworm hackers for orchestrating not only the OlympicDestroyer attacks at the 2018 Pyeongchang Olympics but also a series of many other attacks, such as:
attempts to sabotage Ukraine’s power grid in 2015 and 2016 with the BlackEnergy and Industroyer malware
attempts to sabotage Ukrainian government networks with the KillDisk disk-wiping malware
creating the NotPetya ransomware that caused a global outbreak in June 2017
interfering in the French 2017 elections
arranging cyber-attacks against the organizations investigating the Novichok poisonings in the UK
mass-defacing thousands of Georgian sites in 2019
US officials blamed these attacks on Sandworm, a hacker group it said was composed of members of Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army. 
In its press release today, the UK government issued formal confirmation of the accusations put forward in the US indictments but also exposed and raised a sign of alarm about Sandworm’s impending attacks on Tokyo 2020 Olympics organizers. More

CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, has continued its expansion, this time scooping up a pair of local cybersecurity firms from ASX-listed Vortiv Limited for AU$25 million.  
Identity management firm Decipher Works and cloud security specialists CloudTen will join the cybersecurity megamix, subject to shareholder and regulatory approvals.
CyberCX said both companies provide specialised solutions in the cybersecurity, identity, data analytics, and cloud services sector and have enterprise customer bases across financial services, education, government, transport, manufacturing, and services sectors.
“We are committed to delivering the market-leading cloud security and identity security capability,” CyberCX CEO John Paitaridis said. 
“Decipher Works and CloudTen bring expertise and synergies that complement our mature cybersecurity capabilities and which will deepen CyberCX’s identity and cloud security expertise.”
Paitaridis has touted that both businesses have impressive talent and capabilities.
See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
CyberCX, backed by private equity firm BGH Capital, in October 2019 brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as Paitaridis, who was formerly Optus Business’ managing director.
Decipher Works and CloudTen join the growing list of companies now under the CyberCX umbrella, with two Melbourne-based startups, Basis Networks and Identity Solutions, being scooped up in July.
A month later, CyberCX pushed into the New Zealand market, adding its first Kiwi acquisition in Insomnia Security.
CyberCX has a workforce of over 600 cybersecurity professionals and a footprint of over 20 offices across Australia and New Zealand.
HERE’S MORE More

Image: Warner Bros
The US Department of Justice has unsealed charges today against six Russian nationals believed to be members of one of Russia’s elite hacking and cyberwar units — known as Sandworm.
In court documents today, US officials said all six suspects are officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.
As part of this unit, US officials said the six conducted “destructive” cyber-attacks on behalf and under orders of the Russian government with the intent to destabilize other countries, interfere in their internal politics, and cause havoc and monetary losses.
Their attacks span the last decade and include some of the biggest cyber-attacks known to date: 
Ukrainian Government & Critical Infrastructure: From December 2015 through December 2016, the group orchestrated destructive malware attacks against Ukraine’s electric power grid, the Ukraine Ministry of Finance, and the Ukraine State Treasury Service, using malware that altered industrial equipment (BlackEnergy in 2015 and Industroyer in 2016) or wiped hard drives (KillDisk).
French Elections: In April and May 2017, Sandworm orchestrated spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (“En Marche!”) political party, French politicians, and local French governments prior to the 2017 French elections.
The NotPetya Ransomware Outbreak: On June 27, 2017, Sandworm released the NotPetya ransomware. Initially aimed at Ukrainian companies, the ransomware quickly spread and impacted companies all over the world, causing damages of more than $1 billion to its victims.
PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: Between December 2017 through February 2018, Sandworm launched spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (“IOC”) officials. The attacks took place after Russian athletes were banned from the sporting event due to a state-sponsored doping scheme.
PyeongChang Winter Olympics IT Systems (Olympic Destroyer): From December 2017 through February 2018, Sandworm orchestrated intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the February 9, 2018, with the release of Olympic Destroyer, a destructive malware strain that attempted to wipe crucial servers during the opening ceremony.
Novichok Poisoning Investigations: In April 2018, the Sandworm group orchestrated spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (“OPCW”) and the United Kingdom’s Defence Science and Technology Laboratory’s (“DSTL”) into the nerve agent poisoning of Sergei Skripal, his daughter, and several UK citizens.
Georgian Companies and Government Entities: In 2018, Sandworm carried out spearphishing campaigns targeting a major media company in the country of Georgia. These attacks were followed in 2019 by efforts to compromise the network of Georgian Parliament, and a mass website defacement campaign in 2019.
But these are only the attacks documented in the DOJ indictment [PDF] unsealed today. They represent only a fraction of the group’s vast cyber-operations, which go back as far as 2010.
To read more on the group’s history, reports from the cyber-security industry are also available here, with the group also being referenced as Telebots, BlackEnergy, Voodoo Bear, and under other codenames.
But above all, the group is universally known as Sandworm. However, the six nationals indicted today are only the Sandworm members who could individually be linked to past Sandworm attacks. The group is believed to be made up of many more other GRU officers.
The six GRU officers charged today, and their respective crimes, are listed below:

Defendant

Summary of Overt Acts

Yuriy Sergeyevich Andrienko

·         Developed components of the NotPetya and Olympic Destroyer malware.

Sergey Vladimirovich Detistov

·         Developed components of the NotPetya malware; and
·         Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 

Pavel Valeryevich Frolov

·         Developed components of the KillDisk and NotPetya malware.

Anatoliy Sergeyevich Kovalev

·         Developed spearphishing techniques and messages used to target:
–          En Marche! officials;
–          employees of the DSTL;
–          members of the IOC and Olympic athletes; and
–          employees of a Georgian media entity.

Artem Valeryevich Ochichenko

·         Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and
·         Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.

Petr Nikolayevich Pliskin

·         Developed components of the NotPetya and Olympic Destroyer malware.

Image: FBI
The six supects are still at large in Russia. If they are apprehended and trialed in the US, all six would face sentences of tens of years in prison, each.
Irresponsible use of destructive malware
But today’s case is also an oddity in the cyber-security industry. International norms exempt cyber-espionage operations from international prosecution, as cyber-espionage is considered an arm of normal intelligence gathering operations.
But speaking at a press conference today, US officials said Sandworm’s cyber-attacks often relied on the indiscriminate use of malware with destructive capabilities that caused not only financial losses to thousands of companies but also put human life at risk, showing a disregard for regular cyber-norms.
“As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers, referring to attacks like BlackEnergy, NotPetya, and OlympicDestroyer, all of which were not aimed at intelligence gathering but were clear destructive attacks intent on sabotage.
US Attorney Scott W. Brady, one of the US prosecutors, said the US has been working on a case against Sandworm operators for more than two years, as part of the aftermath of the NotPetya ransomware outbreak.
“The crimes committed by Russian government officials were against real victims who suffered real harm,” Brady said in a prepared statement. “We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victim.”
Shortly after the indictments were announced, the UK government also formally accused Russia’s Sandworm group of attempts to disrupt this year’s Tokyo Olympics before the event was moved to next year due to COVID-19. The UK also showed support for the US legal case. More

Image: Liam Galvin
A new tool called Gitjacker can help developers discover when they’ve accidentally uploaded /.git folders online and have left sensitive information exposed to attackers.

Gitjacker was created by British software engineer Liam Galvin, is written in Go, and was released as a free download last month on GitHub.
In its simplest form, the tool lets users scan a domain and identify the location of a /.git folder on their production systems.
/.git folders should never be uploaded online.
“A .git directory stores all of your [Git] repository data, such as configuration, commit history, and actual content of each file in the repository,” Galvin said in a blog post last month when he launched Gitjacker.
“If you can retrieve the full contents of a .git directory for a given website, you will be able to access raw source code for that site, and often juicy configuration data like database passwords, password salts, and more,” he added.
All developers know this; however, accidents happen.
For example, developers working on a website or a web app can accidentally copy their entire Git repository online, including the /.git folder, and forget to remove it. Furthermore, /.git folders can also be included in automated build chains and added to Docker containers that are later installed as web servers.
Gitjacker not only finds /.git folders but can also fetch their content
Attackers can scan the internet for these types of folders, identify accidentally exposed systems, download their content, and gain access to sensitive configuration data or even to an app’s source code.
“Webservers with directory listings enabled make this kind of attack especially easy, as it’s simply a matter of recursively downloading every file in the .git directory and running the following to pull files from the stored object files: git checkout — .”, Galvin said.
“The attack is still possible when directory listings are disabled, but it’s often difficult to retrieve a complete repository in such cases,” Galvin added.
However, this is where Gitjacker comes in. Galvin said he developed Gitjacker to handle the download and extraction of a git repository for users, even in cases where web directory listings are disabled.
Galvin said he developed the tool to be used in penetration tests, but due to its capabilities, Gitjacker will most likely be abused by threat actors as well (as threat actors have a long history of abusing open source tools for their operations).
And why not? Gitjacker’s capabilities allow attackers to retrieve sensitive configuration files with a few keyboard strokes.
In addition, there’s an incentive for attackers to look for /.git folders. Even after years of warnings [1, 2, 3, 4], /.git exposure is still in high numbers, meaning attackers will have an easy time finding domains with /.git folders left exposed online.
For example, in 2018, a Czech developer scanned more than 230 million sites and found that 390,000 were exposing /.git folders, but only 150,000 of these were fixed. More

Researchers have uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders.

The new malware variant, dubbed Vizom by IBM, is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. 
On Tuesday, IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem said the malware uses interesting tactics to stay hidden and to compromise user devices in real-time — namely, remote overlay techniques and DLL hijacking. 
Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to businesses and social events due to the coronavirus pandemic. 
Once the malware has landed on a vulnerable Windows PC, Vizom will first strike the AppData directory to begin the infection chain. By harnessing DLL hijacking, the malware will attempt to force the loading of malicious DLLs by naming its own Delphi-based variants with names expected by the legitimate software in their directories. 
See also: New Emotet attacks use fake Windows Update lures
By hijacking a system’s “inherent logic,” IBM says the operating system is tricked into loading Vizom malware as a child process of a legitimate videoconferencing file. The DLL is named Cmmlib.dll, a file associated with Zoom. 
“To make sure that the malicious code is executed from “Cmmlib.dll,” the malware’s author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address — the malicious code’s address space,” the researchers say. 
A dropper will then launch zTscoder.exe via command prompt and a second payload, a Remote Access Trojan (RAT), is extracted from a remote server — with the same hijacking trick performed on the Vivaldi Internet browser. 
To establish persistence, browser shortcuts are tampered with and no matter what browser a user attempts to run, the malicious Vivaldi/Vizom code will run in the background. 
CNET: The best DIY home security systems of 2020
The malware will then quietly wait for any indication that an online banking service is being accessed. If a webpage’s title name matches Vizom’s target list, operators are alerted and can connect remotely to the compromised PC. 
As Vizom has already deployed RAT capabilities, attackers can take over a compromised session and overlay content to trick victims into submitting access and account credentials for their bank accounts. 
Remote control capabilities also abuse Windows API functions, such as moving a mouse cursor, initiating keyboard input, and emulating clicks. Vizom can also grab screenshots through Windows print and magnifier functions. 
TechRepublic: Professor creates cybersecurity camp to inspire girls to choose STEM careers
In order to create convincing overlays, the malware generates HTML files and then loads them in Vivaldi in application mode. A keylogger is then launched, with input encrypted, packaged, and whisked away to the attacker’s command-and-control (C2) server. 
“The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region,” IBM says. “At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Sandbox Interactive GmbH
A hacker has breached the forum of Albion Online, a popular free medieval fantasy MMORPG, and stole usernames and password hashes, the game maker disclosed on Saturday.

“The intruder was able to access forum user profiles, which include the email addresses connected to those forum accounts,” said Sandbox Interactive GmbH, the company behind Albion Online.
The attacker also harvested encrypted passwords. Sandbox Interactive said the passwords were hashed with the Bcrypt password-hashing function and then salted with random data to make it harder for attackers to reverse and crack the password.
“These can NOT be used to log in to Albion Online, the website 
or the forum, nor can they be used to learn the passwords themselves,” the German game maker said.
“However, there is a small possibility they could be used to identify accounts with particularly weak passwords.”
Users who reused emails and passwords for both their game and forum account are at particular risk.
As a result of the unauthorized intrusion, the game maker asked forum users to reset passwords via a forum post on Saturday, and emails delivered to all impacted users.
The company did not disclose the size of the breach.
Sandbox Interactive said the intrusion took place on Friday, October 16, and the attacker utilized a vulnerability in its forum platform, known as WoltLab Suite.
The vulnerability is now patched, the game maker said.

Our forum has gone down for an emergency maintenance that will last several hours. The game and website will remain online and will not be affected by this maintenance.
— Albion Online (@albiononline) October 16, 2020

Sandbox Interactive said it’s compiling a report on the attack to provide to authorities.
“So far we have prioritized fixing vulnerabilities and informing players about this incident,” it said.
Albion Online was launched in July 2017 and is available as a free-to-play game for Windows, macOS, Linux, iOS, and Android.
The game is believed to have more than 2.5 million players, while the Albion Online forum lists 293,602 registered members at the time of publishing.
On Saturday, a hacker claimed to be in possession of the site’s database, which they began advertising for sale on a well-known hacker forum. The post has now been deleted.

Threat actor claims he hacked Albion Online, a large MMORPG with over 180,000 daily players.The actor is claiming he has access to the main game’s database, the payment database, and other databases containing sensitive information. pic.twitter.com/M8Qk3pI2rK
— Alon Gal (Under the Breach) (@UnderTheBreach) October 17, 2020 More