Information Technology

A Remote Access Trojan (RAT) on sale in underground forums has evolved to abuse Tor when maintaining persistence on infected machines. 

On Thursday, Sophos Labs’ Sivagnanam Gn and Sean Gallagher revealed ongoing research into the malware, which has been in the wild since 2019. 
Dubbed SystemBC, the RAT has evolved from acting as a virtual private network (VPN) through a SOCKS5 proxy into a backdoor that leverages the Tor network to establish persistence and make tracing connected command-and-control (C2) servers a more difficult task. 
According to the researchers, the Windows-based SystemBC malware is capable of executing Windows commands, script deployment, implementing malicious DLLs, remote administration and monitoring, and establishing backdoors for operators to connect the malware to a C2 in order to receive commands. 
Sophos Labs says that over the course of the year, SystemBC has evolved and features have been enhanced, leading to increased popularity with buyers including ransomware operators. 
See also: Your email threads are now being hijacked by the QBot Trojan
Once deployed, the RAT will copy and schedule itself as a service but will skip this step if Emsisoft antivirus software is detected. A connection to a C2 is then established through a beacon connection to a remote server based at one of two hard-coded domains — with addresses varying in samples — as well as a lightweight Tor client. 

“The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network,” the researchers note. “The code of mini-Tor isn’t duplicated in SystemBC […] but the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions.”
Over the past few months, SystemBC has been tracked in “hundreds” of deployments, including recent Ryuk and Egregor ransomware attacks. The team says the backdoor was deployed after the cyberattackers obtained access to server credentials in these attacks, with SystemBC acting as a valuable persistence bolt-on to the main malware strains used. 

SystemBC was deployed as an off-the-shelf tool, likely obtained through malware-as-a-service deals made in underground forums, and in some cases, was present on infected machines for days — or weeks — at a time.
“SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials,” Sophos Labs added. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

[embedded content]
IBM has launched a fully homomorphic encryption (FHE) test service for the enterprise in the first step to bringing in-transit encrypted data analysis into the commercial sector. 

IBM said on Thursday that the new FHE solution, IBM Security Homomorphic Encryption Services, will allow clients to start experimenting with how the technology could be implemented to enhance the privacy of their existing IT architecture, products, and data. 
FHE, considered by some as the “Holy Grail” of encryption, as it is a form of encryption that allows data to remain encrypted when being processed. 
The concept behind FHE is to plug the gap between securely-encrypted data held in storage and the need to decrypt while this information is in use — a requirement in data processing or analysis — which can create protection issues. 
While IBM and others in the research community have been working on developing homomorphic encryption for over a decade, FHE has not been considered practical, due to the high compute power required to work with encrypted data, as well as the sluggish speeds of computations. 
Now, however, IBM says that due to increases in industry compute power and the refinement of algorithms behind FHE, calculations can now be performed in seconds per bit, “making it fast enough for many types of real-world use cases and early trials with businesses.”
See also: The biggest hacks, data breaches of 2020

IBM is also working on making FHE “quantum-safe” by implementing lattice cryptography. 
The company has completed a number of field trials and clients have been working on pilot programs this year to implement FHE. Available now, customers can access an IBM Cloud testing environment to create prototype applications utilizing FHE, and IBM trainers will be on hand to support new FHE projects. 
IBM Research tools will also be made available for specific use case tests, including encrypted search and machine learning (ML) features. 
“Fully homomorphic encryption holds tremendous potential for the future of privacy and cloud computing, but businesses must begin learning about and experimenting with FHE before they can take full advantage of what it has to offer,” commented Sridhar Muppidi, IBM Security CTO. 
The technology is still in its early stages and is yet to reach commercial maturity, but by offering a test environment, IBM may be able to resolve FHE implementation and performance challenges, and as such, the company says that the initial offering is focused on developers and engineers in the cryptographic space.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybersecurity firm the Phobos Group has launched this week Orbital, a reconnaissance and risk assessment platform.
Orbital, out of beta and in public trials, is the Phobos Group’s reimagining of how a reconnaissance platform should work and look like.
It works by scanning a customer’s public-facing infrastructure and generating a report with issues it finds.
But instead of delivering a 600-page report about every minutia in a company’s IT stack using convoluted terms like CVEs, DREAD scores, STRIDE models, or ATT&CK mappings, Orbital relies on the underestimated power of “plain English.”
The focal point of Orbital reports is taken away from heavy infosec jargon and put on simple concepts like “entry points” and “attack pathways,” Phobos Group founder Dan Tentler told ZDNet in a demo last week.
Instead of a list of CVE identifiers (numeric codes for security flaws), Orbital shows how attackers could combine bugs and misconfigurations to carve a path through the company’s public-facing network.

Image: Phobos Group
Orbital also leverages a custom-built rules engine that prioritizes the most dangerous issues allowing IT personnel to act on the most dangerous issues right away.

Tentler said the focus has been on getting companies to address real security issues and get them fixed fast, rather than tick boxes in compliance tests.
“Orbital was designed from the ground up to be more impactful than bug bounties and compliance-driven vulnerability scanning,” the Phobos team said.
“There isn’t a new taxonomy or scoring metric to learn, the Attack Pathways do all the heavy lifting. You see exactly what an attacker would see, before they do.”
The Orbital platform will surface details like leaked credentials, open ports, internal hosts leaking information to the outside world, a company’s tech stack breakdown, screenshots of what attackers see of a company’s systems, and much more.
Furthermore, Orbital also uses concepts like positive reinforcement to show companies if they’re using “favorable technology stacks” and what they fixed and what has improved between scans, allowing customers to feel like they made headway in securing their networks.

Image: Phobos Group
“Orbital is geared toward the active defender who needs to prioritize risk now,” the Phobos team said. “Orbital was designed by people who want to see real change that results in tactical success against attackers.”
After months of work, teasing, and planning, Phobos Orbital is out of beta and available for trials starting this week, with pricing on demand. More

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.

The 28 extensions contained code that could perform several malicious operations. Avast said it found code to:
redirect user traffic to ads
redirect user traffic to phishing sites
collect personal data, such as birth dates, email addresses, and active devices
collect browsing history
download further malware onto a user’s device
But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.
“For every redirection to a third party domain, the cybercriminals would receive a payment,” the company said.
Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites.
Jan Rubín, Malware Researcher at Avast, said they couldn’t identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity.
And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify.

Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions.
Google and Microsoft did not return a request for comment seeking additional information on the status of their investigation into Avast’s report or if the extensions were going to be removed.
Below is the list of Chrome extensions that Avast said it found to contain malicious code:
Below is the list of Edge extensions that Avast said it found to contain malicious code:
Until Google or Microsoft decide what’s their course of action, Avast recommended that users uninstall and remove the extensions from their browsers. More

Image: Sebastiaan Stam
The US Federal Bureau of Investigations says it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies in order to intimidate and coerce victims into paying ransom demands.

The incidents have been happening since February 2020, the FBI said in a PIN (private industry notification) alert, a type of security advisory the Bureau sends to the US private sector on a regular basis to inform them of the latest cyber-security developments.
The FBI PIN alert, sent on December 10, confirms a ZDNet report from December 5 that detailed similar cold-calling tactics used by four other ransomware groups: Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk.
But while our reporting tracked down phone threats made by ransomware groups to September this year, the FBI says this tactic was actually first seen with the DoppelPaymer gang months before.
“Doppelpaymer is one of the first ransomware variants where actors have called the victims to entice payments,” the FBI said.
“As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data,” it added.
The agency then goes on to detail one particular incident where threats escalated from the attacked company to its employees and even relatives. From the PIN alert:

“In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom. During subsequent telephone calls to the same business, the actor threatened to send an individual to the home of an employee and provided the employee’s home address. The actor also called several of the employee’s relatives.”
Threats of violence, as in this case, are usually empty. On the other hand, threats to release or sell the data are not.
The DoppelPaymer gang is one of more than 20 ransomware gangs that operate leak sites where they publish data from companies who refuse to pay the ransom — as a form of revenge.
In many cases, companies ignore these threats and choose to restore from backups, but there are also known cases[1, 2] where companies chose to pay to prevent sensitive information from being released online.
In its DoppelPaymer PIN alert, the FBI recommends that victims secure their networks to prevent intrusions in the first place, and in the case of an attack, recommended that victims notify authorities and try to avoid paying the ransom as this emboldens attackers to carry out new intrusions, enticed by the easy profits they’re making. More

Despite the majority of businesses claiming to have well-defined consumer data privacy policies that are strictly applied, over three in five US and Canadian companies do not inform customers that they allow tracking code from third-party services on their websites.
Americans are becoming increasingly concerned with, and distrustful of, how companies use, manage, and protect their personal data.

Apple is cracking down on apps that track users without their permission, but new survey data shows this type of consumer data privacy abuse is also happening within the enterprise tech space.
Austin, TX-based productivity and collaboration apps provider Zoho surveyed 1,416 individuals across the United States and Canada in November 2020.
Participants of the study included a range of business leaders from manager roles to the C-level at small and large enterprises across a variety of industries.
Zoho wanted to find out their use of tracking software and consumer data privacy policies, and how frequently information is captured that is lucrative for advertisers.
The findings show how frequently unethical data collection tactics are used without consumer knowledge to capture information — especially in the B2B space.

It discovered that three in five (62%) of businesses do not inform customers about third-party ad trackers collecting their data. 
Almost three in four (72%) B2B respondents do not inform customers about third-party ad trackers, compared to 58% of B2C respondents
More surprisingly the survey uncovered that third-party ad tracking is ubiquitous. All respondents (100%) said their companies allow it, and almost three in five (57%) are “comfortable” or “very comfortable” with the way third-parties use customer data.
This business practice is also true in California, the only US state which has a consumer data privacy law.
Almost seven in ten (70%) of California companies do not inform customers that they allow third-party ad trackers on their websites, yet 56% say their company has a well-defined, documented policy for customer data privacy that is strictly applied.
The findings also show businesses that depend on third-party ad platforms to drive sales are more likely to be comfortable with how third parties use the data.
Over one in three businesses (36%) said that third-party ad platforms are the primary factor in their ability to meet sales goals.
The same group was nearly four times more likely to say they were “very comfortable” with how third-party ad platforms use data they collect
Companies that said ad platforms are not a factor in meeting sales goals were almost five times more likely to know that some software automatically installs third-party tracking code onto its website
Raju Vegesna, Chief Evangelist at Zoho. said: “If you’re using a free service, you’re paying for it with your data. That includes free B2B software and mobile apps you might be using, and we need companies to be transparent with customers about how they track users.”
Americans are keen to share social security, financial and medical information — if they believe it is to help others — but helping companies close deals might not be what they had in mind.
We are so keen to have a frictionless and personalised experience with websites that we freely allow them to take our valuable information. 
Perhaps more websites should compensate consumers for the use of their personal data — or leave their data alone — unless it is explicitly granted with full knowledge of both parties. More

Well, that didn’t take long. Google fixed multiple problems with its services this week but less than a day later network administrators and users started seeing another rash of Gmail problems.

Google confessed, “We’re aware of a problem with Gmail affecting a significant subset of users. The affected users are able to access Gmail but are seeing error messages, high latency, and/or other unexpected behavior. We will provide an update by 12/15/20, 5:30 PM [Eastern US]detailing when we expect to resolve the problem. Please note that this resolution time is an estimate and may change.”
Also: Microsoft 365 vs Google Workspace (formerly G Suite): Which productivity suite is best for your business? 
Downdtector reported a major spike at about 3 PM Eastern. 73% of the reported problems were with receiving messages. 23% of users reported having trouble logging into Gmail.
On the internet network administrator outages list, admins reported they were seeing random bounceback issues with an average of 10% bouncebacks on their test emails. Still, other administrators reported seeing bounces when sending from GSuite to consumer Gmail.
Typical bounceback error messages said “The email account that you tried to reach does not exist.”
This problem showed up mostly in the US, but it also caused failures in Europe, Australia, and New Zealand. 

There have also been scattered reports of trouble with YouTube and YouTube TV, but these have not been confirmed.
At 6:51 PM Eastern, Google reported the Gmail problem had been resolved. The company also stated: “We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better. If you are still experiencing an issue, please contact us via the Google Help Center.”
Related Stories: More

Singapore law firm Rajah & Tann has formed a joint venture with local cybersecurity vendor Resolvo Systems to offer integrated services to help businesses navigate their reliance on digital data amidst growing cyber threats. This, they say, will be increasingly important as the global pandemic has accelerated online activities alongside cybersecurity attacks. 
Called Rajah & Tann Cybersecurity (RTCyber), the joint venture was set up by the law firm’s ICT services arm Rajah & Tann Technologies, which focuses on technology-driven legal and regulatory services such as electronic discovery and data breach response. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“RTCyber is uniquely placed to help clients protect, mitigate against cyber attacks, minimise disruptions from a security breach, and effectively deal with a breach incident,” the law firm said in a statement Wednesday, adding that the new entity would tap its knowledge in data protection and cybersecurity law as well as Resolvo’s 20 years experience in cybersecurity. 
The joint venture would provide a suite of six services, including legal tech, e-discovery, digital forensics, and contract management.
RTTech’s director Steve Tan said: “The COVID-19 pandemic has accelerated our clients’ reliance on digital data. As their transformation partner, we see ourselves providing them with a much-needed service at this most dire of times.
“It is a matter of when, not if, an organisation is hit by a data breach, especially since the number of malicious perpetrators targeting vulnerable systems, websites, and individuals continues to grow exponentially,” Tan said. “The key is to be prepared and effectively respond to a breach. Organisations have to be proactive in securing their data against loss or cyber attacks, not only for security reasons, but also to comply with data protection and other legal requirements.”
Resolvo CTO Wong Onn Chee added that the “one-stop shop” joint venture would provide both technology and legal expertise in an “expeditious and efficient manner”, which would be essential in managing cybersecurity incidents. 

Citing the World Health Organisation, Rajah & Tann said the global organisation reported a five-fold increase in cyber attacks 1.5 months into the global pandemic, while phishing attacks targeting Singapore more than doubled between March and May this year, according to Singapore’s Cyber Security Agency. 
Worldwide, 91% of enterprises reported an increase in cyber attacks as more employees working from home amidst the coronavirus outbreak, revealed a survey by VMware Carbon Black. COVID-19 inspired malware saw the highest jump, with 92% of respondents noting an increase in such threats compared to typical volumes before the outbreak.
In Singapore, 43% saw increased attack volumes over the past year, reporting an average 1.67 breaches, and 67% said such threats now were more sophisticated. OS vulnerabilities were the most common cause of breaches, as cited by 20% in the city-state, while 15% pointed to holes in third-party application that led to security breaches. 
Cybercrimes accounted for 26.8% of all crimes in Singapore last year, with e-commerce scams the most popular. Some 9,430 cybercrime cases were reported in 2019, up 51.7% from 2018 when there were 6,215 cases. 
RELATED COVERAGE More