Information Technology

ClickStudios has told its global customer base to start changing passwords following a breach that resulted in a supply chain attack.The Australian software company, which makes the Passwordstate password manager, suffered a breach between April 20 and April 22. CSIS Security Group, which dealt with the breach, posted the attack details. ClickStudios outlined the attack in an advisory. The company said:Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.  The supply chain attack was initiated via an update of the Passwordstate app.In a post, CSIS said its researchers found the attack during an investigation. “As recommended by ClickStudios, if you are using Passwordstate, please reset all the stored passwords, and especially VPNs, Firewall, Switches, local accounts or any server passwords etc,” said CSIS, which dubbed this incident/malware “Moserpass”. ClickStudios’ letter to customers was posted on Twitter via Polish news site Niebezpiecznik (via The Record).Aside from the obvious hassle of changing enterprise passwords on Friday and the weekend, Passwordstate touches multiple key areas of a company including:Auditioning and compliance reporting.Local admin accounts on your network.Active Directory.Credentials management and remote sessions.API integration.Access control.And two-factor authentication among others. Passwordstate from ClickStudiosAdd it up and Passwordstate made for a nice target because it has multiple touch points in an enterprise.

As for the remediation for Passwordstate customers, ClickStudios outlined the following:Customers have been advised to check the file size of moserware.secretsplitter.dll located in their c:inetpubpasswordstatebin directory. If the file size is 65kb then they are likely to have been affected. They are requested to contact Click Studios with a directory listing of c:inetpubpasswordstatebin output to a file called PasswordstateBin.txt and send this to Click Studios Technical Support. Affected customers are then advised by Click Studios Technical Support via email to; 1. Download the advised hotfix file2. Use PowerShell to confirm the checksum of the hotfix file matches the details supplied 3. Stop the Passwordstate Service and Internet Information Server 4. Extract the hotfix to the specified folder 5. Restart the Passwordstate Service, and Internet Information Server Once this is done it is important that customers commence resetting all Passwords contained within Passwordstate. These may have been posted to the bad actors CDN network. Click Studios recommends prioritizing resets based on the following; 1. All credentials for externally facing systems, i.e., Firewalls, VPN, external websites etc. 2. All credentials for internal infrastructure, i.e., Switches, Storage Systems, Local Accounts 3. All remaining credentials stored in Passwordstate   More

The scale and severity of ransomware is growing at an alarming rate as cyber criminals look to exploit poor cybersecurity to maximise profit, the director of GCHQ has warned.Organisations and their employees have been forced to adapt to different ways of working over the last year, with many now even more reliant on remote services and online collaboration platforms.But while the increased use of digital technology has provided people with many benefits, it is also benefiting cyber criminals who are able to exploit it for their own gain. “Our reliance on technology to stay close to loved ones, enable different ways of working and access crucial services has dramatically increased. Most of this has been to our benefit. But it’s benefited our foes too as they exploit the accelerations in connectivity and poor cybersecurity,” said Jeremy Fleming, director of GCHQ, the UK’s intelligence and cyber agency. Delivering this year’s Imperial College Vincent Briscoe Annual Security Lecture, Fleming warned how hostile nation-states are looking to exploit the digital realm to conduct cyber attacks – including attempts to steal coronavirus research and exploit supply chains with malware and phishing attacks. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  But cyber criminal gangs also represent a major threat and Fleming warned that ransomware in particular represents a cybersecurity danger for organisations of all kinds.

“We’ve seen ransomware become a serious threat, both in terms of scale and severity. Increasingly, it targets crucial providers of public services, as well as businesses, as criminals play on our dependence on tech,” he said. Ransomware attacks involve cyber criminal groups infiltrating networks and locking files and servers with encryption then demanding a ransom of millions of dollars – often in Bitcoin – for the decryption key to return the files.The rise in remote working has provided cyber criminals with additional avenues to gain initial access to networks as they exploit remote desktop services and VPNs, often secured with common or default passwords, while the nature of remote work means it’s more difficult for information security teams to differentiate legitimate behaviour from potentially suspicious activity.That’s led to a rise in ransomware attacks against organisations in all sectors – and the attacks remain successful because there’s a significant percentage of victims who’ll pay the ransom of millions in order to retrieve their files. “It has resulted in serious disruptions to education, health and local authorities, caused huge losses for unprepared businesses and has rapidly become a significant threat to our supply chains,” said Fleming”There’s a whole other lecture here about the need for concerted action to address this trend – but for now, all I’d say is that it’s growing at an alarming rate”.While ransomware is a growing threat to organisations, there are cybersecurity procedures which can help make networks more reliant against attacks.They include avoiding the use of default login credentials while also adding two-factor authentication to help secure user accounts. Organisations should also apply security patches and updates as soon as possible after they’re released, to stop cyber criminals being able to exploit known vulnerabilities as part of attacks.MORE ON CYBERSECURITY More

The West must continue investing in and developing cyber defences or risk falling behind in a world where innovations around the use of technology aren’t necessarily driven by allies. The director of the UK’s intelligence and cyber agency GCHQ Jeremy Fleming said the country is now a global cyber power – but retaining that status in a fast-changing world is far from guaranteed, especially as China and Russia look to spread competing values and project cyber strength via the use of technology. “New technology is enabling life online. Cybersecurity is an increasingly strategic issue that needs a whole-nation approach. The rules are changing in ways not always controlled by government,” said Fleming.

“And without action, it is increasingly clear that the key technologies on which we will rely for our future prosperity and security won’t be shaped and controlled by the West. We are now facing a moment of reckoning,” he added. SEE: Network security policy (TechRepublic Premium) Fleming made the comments while delivering this year’s Imperial College Vincent Briscoe Annual Security Lecture and warned that elements of the global digital environment are at threat from authoritarian regimes and, if left unchecked, that could threaten the design and freedom of the internet as states with “illiberal values” look to mould cyber space in their own image. “The threat posed by Russia’s activity is like finding a vulnerability on a specific app on your phone – it’s potentially serious, but you can probably use an alternative. However, the concern is that China’s size and technological weight means that it has the potential to control the global operating system,” said Fleming.

“In practice, that means that states like China are early implementors of many of the emerging technologies that are changing the digital environment. They have a competing vision for the future of cyberspace and are playing strongly into the debate around international rules and standards,” he added. “States that do not share our values build their own illiberal values into the standards and technology upon which we may become reliant. If that happens, and it turns out to be insecure or broken or undemocratic, everyone is going to be facing a very difficult future,” he warned. One example of the geopolitical issues around this have already become apparent; while China has become one of the leading countries behind 5G technology, the UK government has banned 5G equipment made by Chinese technology company Huawei from UK mobile networks, citing security concerns. That’s after the UK government previously gave Huawei the green light to play a role in the country’s 5G network. However, Fleming said that the UK can maintain and build upon its strategic technical advantage by developing its own technologies in key areas like quantum computing and cryptography – which can help protect sensitive information and capabilities from attacks and disruption. “As a country, we need to be using all the levers and tools at our disposal to shape and grow key technologies and markets. We must do that in a way that helps protect the nation and open society. And that means becoming better at using the power of the state to both foster and protect brilliant developments in technology,” Fleming said. SEE: The secret to being a great spy agency in the 21st century: Incubating startups However, it’s also important that the UK isn’t acting alone – and Fleming cited the importance of working with allies in order to help improve cyber defences for everyone. “We may be an island but we’re far from isolated. It takes collective effort by likeminded allies to use technology to deliver strategic advantage. Only by working with others can we outperform our adversaries,” he said.  

MORE ON CYBERSECURITY More

Ransomware attacks against the shipping and logistics industry have tripled in the past year, as cyber criminals target the global supply chain in an effort to make money from ransom payments.

Analysis by cybersecurity company BlueVoyant found that ransomware attacks are increasingly targeting shipping and logistics firms at a time when the global COVID-19 pandemic means that their services are required more than ever before.Ransomware attacks have become a major cybersecurity problem for every industry, but a successful attack against a logistics company could potentially mean chaos – and an extremely lucrative payday for attackers. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  The nature of the industry and the potential impact of how disruption can affect all of the supply chain might mean that an affected organisation pays the ransom demand, perceiving it to be the quickest, most effective way of restoring the network – despite law enforcement and cybersecurity experts warning victims that they shouldn’t encourage cyber criminals by paying ransoms.”Shipping and logistics companies are large businesses that are highly sensitive to disruption, making them perfect targets for ransomware gangs,” Thomas Lind, co-head of strategic intelligence at BlueVoyant, told ZDNet.2017’s NotPetya cyberattack demonstrated the amount of disruption that can occur in these scenarios, when shipping firm Maersk had vast swathes of its network of tens of thousands of devices across 130 counties encrypted and knocked offline in an incident that cost hundreds of millions in losses.

But despite this high profile cyber event demonstrating the need for good cybersecurity strategy, according to BlueVoyant’s report, shipping and logistics companies need to “dramatically” improve IT hygiene and email security to make networks more resilient against ransomware and other cyberattacks.That includes fixing vulnerabilities in remote desktops or ports, something that 90% of the organisations studied in the research were found to have. Vulnerabilities in RDP systems like unpatched software or using default or common login credentials can provider cyber attackers with relatively simple access to networks.”When unsecured, ransomware attackers are able to gain access to a system and then move laterally in order to most effectively compromise and lockdown a target network,” said Lind.”Companies are not adequately securing themselves – and we haven’t seen any industry with worse protections in place than supply chain and logistics.”In some cases, it isn’t ransomware groups that are breaching logistics and shipping companies, but merely opportunistic cyber criminals who know they’ll be able to sell the credentials on for others to use to commit attacks. SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doShipping and logistic companies have vast networks – but there are cybersecurity procedures that can improve their defences against cyberattacks. These include securing port and network configuration so that default or easy-to-guess credentials aren’t used and to, where possible, secure the accounts with two-factor authentication.”Ransomware gangs don’t hide what they’re doing: they hit remote desktop protocol (RDP) and other remote desktop ports. Especially in a time when many companies set up remote desktops for remote workers, this is a critical issue,” said Lind. Organisations should also update and patch software in a timely manner so cyber criminals can’t take advantage of known vulnerabilities to gain access to networks. MORE ON CYBERSECURITY More

Operators of a new Remote Access Trojan (RAT) are exploiting the Telegram service to maintain control of their malware. 

Dubbed ToxicEye, the RAT abuses Telegram as part of command-and-control (C2) infrastructure in order to conduct rampant data theft. On Thursday, Omer Hofman from Check Point Research said in a blog post that the new remote malware has been observed in the wild, with over over 130 attacks recorded in the past three months.  Telegram is a communications channel and instant messaging service that recently experienced an increased surge in popularity prompted by controversial changes to WhatsApp’s data sharing policies with Facebook.  The legitimate platform, which accounts for over 500 million monthly active users, has also proven popular with cybercriminals using the service as a springboard to spread and deploy malicious tools.  The attack chain begins with ToxicEye operators creating a Telegram account and a bot. Bots are used for a variety of functions including reminders, searches, issue commands, and to launch polls, among other features. However, in this case, a bot is embedded into the malware’s configuration for malicious purposes.

“Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C2 via Telegram,” the researchers say. Phishing emails are sent to intended victims that have malicious document attachments. If a victim enables downloads the subsequent malicious .exe file, ToxicEye then deploys. The ToxicEye RAT has a number of functions that you would expect this particular brand of malware to possess. This includes the ability to scan for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as the option for operators to transfer and delete files, kill PC processes and hijack task management.  In addition, the malware can deploy keyloggers and is able to compromise microphones and camera peripherals to record audio and video. Ransomware traits, including the ability to encrypt and decrypt victim files, have also been detected by the researchers.  ToxicEye is the latest in a string of malware strains that use Telegram to maintain a C2, with off-the-shelf and open source malware that contains this functionality now commonplace. If you suspect an infection, search for “C:UsersToxicEyerat.exe.” This goes for both individual and enterprise use, and if found, the file should be immediately removed from your system.  “Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” the researchers commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The radio link will land at Cape Wickham on King Island.
Image: Getty
When completed, a 110-kilometre radio link from King Island back to Victoria’s Surf Coast will be the longest such link over water in the Telstra network, the company said on Friday. The new link is part of a AU$9.8 million connectivity upgrade for King Island that will see the island get a six-fold improvement in bandwidth. The project will see two new mobile sites, two new small cell sites, and LTE upgrades at another three sites, as well as 37 kilometres of fibre laid on the island. Money for the upgrade was coughed up by Telstra, King Island Council, Tasmanian government, and the Commonwealth’s Regional Connectivity Program (RCP). Last week, the government announced it had selected 81 sites for its Regional Connectivity Program, but did not name them. When announcing the upgrade on Friday, Communications Minister Paul Fletcher failed to acknowledge the presence or monetary input of anyone not in the federal government. Revealing a touch more information on some of the successful RCP sites, the minister said AU$8 million of the fund was earmarked for five projects in Tasmania: Improving bandwidth to nine regional schools; a connectivity upgrade in Geeveston; improving mobile coverage in Jericho; and a connectivity boost at Greenhill Observatory to “enhance Australia’s sovereign space capability”.

Work is due to start on the King Island project before the year is out. Earlier in the week, Telstra announced its Adapt S1 product, which combines VMware SD-WAN with a Palo Alto security platform. Telstra said the product uses its core network to improve redundancy and security. “With staff using consumer-grade networking technology to log onto corporate VPNs, it’s important for business to implement a secure stack,” Telstra global connectivity and platforms executive and group owner Sanjay Nayak said. “With more data flowing to mobile offices and workers, Adapt S1 can secure the corporate WAN in one seamless solution.” Adapt S1 is provided by Telstra partners such as 1Step Communications, Azured, Digital Armour, Exigo Tech, Mangano IT, Oreta, StarData, Virtual IT Group, and Wireless Communications. The new product forms part of the telco’s adaptive networks banner. Related CoverageTelstra and TPG spend hundreds of millions on mmWave spectrumTelstra will pay AU$277 million for 1000MHz of 26GHz spectrum, while TPG will fork out over AU$108 million.Existing Telstra entity to become fixed infrastructure group in restructureNew holding company with debt cross guarantees, with international arm proposed as part of the Telstra shake up.Telstra to add low band spectrum to commercial 5G networkAfter performing 5G testing of the low band spectrum since November last year.Telstra launches IoT pilot in Queensland to gather more accurate weather dataIn a bid to help local farmers manage the effects of weather and climate change, Telstra has partnered with the Queensland government and the Bureau of Meteorology on the project.Telstra InfraCo opens up dark fibre networkMeanwhile, Optus has launched Optus U micro-credentials program for staff. More

Image: Brett Jordan
On Friday afternoon, many Australian Twitter users were asking whether to trust an email asking people to confirm their accounts. The online consensus was fast coming to the conclusion it was all a scam — a very good recreation of legitimate emails from Twitter — when the social media network fessed up that it was responsible. “Some of you may have recently received an email to “confirm your Twitter account” that you weren’t expecting. These were sent by mistake and we’re sorry it happened,” the company said on its support account “If you received one of these emails, you don’t need to confirm your account and you can disregard the message.” Last month, the Australian Competition and Consumer Commission said Australian businesses reported losing more than AU$14 million due to payment redirection or business email compromise scams to Scamwatch, with losses in 2021 set to be five times higher. In 2019, 25,000 phishing scams were reported to Scamwatch, with only 513 reported as resulting in financial loss, valued at AU$1.5 million. Nevertheless, phishing was the most popular scam method. Related Coverage More

Image: Getty Images
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) in December kicked off an inquiry into extremist movements and radicalism in Australia, considering, among other things, the role of social media, encrypted communications platforms, and the dark web in allowing such activity.The New South Wales Police Force told the committee that online propaganda continues to instruct, recruit, inspire, cause fear, and encourage attacks. It said this remains a significant driver for global terrorism and the targeting of crowded places in Western countries.”Extremist groups, across all ideologies … have consistently demonstrated a willingness to harness new technologies to amplify their messages, reach new audiences, and coordinate activities,” NSW Police said [PDF]. “Digital platforms, including social media, encrypted messaging applications, live-streaming platforms, and the dark web are able to be used effectively by extremist groups. These innovations have allowed new types of communities to emerge, where ideological affinity overcomes a lack of physical proximity. “Internet-enabled technologies have provided an accessible, low-cost means to establish, engage and empower like-minded groups across divides.”It said that where platforms associated with extremist groups and implicated in terror attacks have been taken down by their hosts, rather than resulting in the demise of these platforms it has simply displaced them, emerging in altered forms and with new hosts. “Pushing extremists to the fringes of the internet, away from mainstream users, could be a positive but it presents a different set of challenges for law enforcement and intelligence agencies,” NSW Police added.

Also providing a submission [PDF] to the inquiry, Facebook said the existence of terrorist or extremist groups within society inevitably leads to terrorist or extremist activity online. The social media giant detailed its work in removing terrorist or extremist activity, but told the PJCIS it must consider not just how to prevent the violent manifestations of extremism, but also how to combat hate, labelling it the root cause for extremism.On encrypted communications, Facebook said end-to-end encryption is the best security tool available to protect Australians from cybercriminals and hackers, but it also poses a legitimate policy question: “How to ensure the safety of Australians if no one can see the content of messages except the sender and the receiver?””The solution is for law enforcement and security agencies to collaborate with industry on developing even more safety mitigations and integrity tools for end-to-end encrypted services, especially when combined with the existing longstanding detection methods available to law enforcement,” it wrote. “We already take action against a significant number of accounts on WhatsApp (a fully end-to-end encrypted messaging service) for terrorism reasons, and we believe this number could increase with greater collaboration from law enforcement and security agencies.”See also: Home Affairs concerned with Facebook’s plans to create world’s ‘biggest dark web’It said it’s committed to working with law enforcement, policymakers, experts, and civil society organisations to develop ways of detecting bad actors without needing access to the content of encrypted messages.It added the creation of backdoors is not the way forward.Similarly detailing its approach to removing terrorist or extremist activity across its platforms to the PJCIS, Google said [PDF] it also engages in ongoing dialogue with law enforcement agencies to understand the threat landscape, and respond to threats that affect the safety of our users and the broader public.Google receives approximately 4,000 requests each year for user data from Australian law enforcement agencies. The search giant also said encryption is a “critically important tool in protecting users from a broad range of threats”.”Strong encryption doesn’t create a law free zone — companies can still deploy several anti-abuse protections using metadata, behavioural data, and new detection technologies — without seeing the content of messages encrypted in transit (thereby respecting user privacy),” it wrote.”While we are unable to provide to law enforcement the unencrypted content of messages encrypted in transit, we are still able to provide a wealth of data and signals that in some instances have proven richer than content data. Metadata such as call location, associated phone numbers, frequency and length of call/text are logged on our servers and can be shared with law enforcement/intelligence when provided with a valid court order.”Offering similar summaries of the work it does in countering terrorist or extremist activity on its platform, Twitter told the PJCIS its goal is to protect the health of the public conversation, and to take immediate action on those who seek to spread messages of terror and violent extremism.”However, no solution is perfect, and no technology is capable of detecting every potential threat or protecting societies and communities from extremism and violent threats on their own,” Twitter said [PDF]. “We know that the challenges we face are not static, nor are bad actors homogenous from one country to the next in how they evolve, behave, or the tactics they deploy to evade detection.”The Office of the Australian eSafety Commissioner told the committee that its research on young people and social cohesion showed 33% of young people have seen videos or images promoting terrorism online, and over 50% of young people had seen real violence that disturbed them, racist comments, and hateful comments about cultural or religious groups. It told the PJCIS it believes the best tactic to prevent terrorist or extremist activity is education.”Especially in the context of this inquiry, it is important to consider the structural, systemic, and social factors that may lead someone to be attracted to, and engage in, negative or dangerous activity online,” its submission [PDF] said. “A whole of community approach and systems approach is therefore needed to understand and address the underlying drivers of this behaviour, as well as provide diversion and alternative pathways to support and assistance.”Giving individuals the skills and strategies to prevent and respond to harmful experiences online and engage online in ways likely to promote safe and positive online experiences.”RELATED COVERAGE More