Information Technology

Getty Images/iStockphoto
Telstra has taken the wraps off a pilot program that will see it block fake messages claiming to be from myGov or Centrelink before they hit the phones of the telco’s customers.
The telco worked with the Australian Cyber Security Centre (ACSC) and Services Australia on the layer 3 blocking effort.
Telstra CEO Andy Penn told ZDNet that the program has completed its proof-of-concept stage and would be fully rolled out across its network by the end of the year.
Penn also said involving the ACSC allowed for information sharing between government and industry, and by sharing information there was a greater chance of mitigating malicious acts.
“It’s not so much that ACSC has got something that we don’t, or we’ve got something the ACSC doesn’t have — we both look at the world through a different lens, and we have both have access to information, probably, that the other party doesn’t,” he said.
If the pilot is successful, it would then be rolled out to other Australian telcos, Minister for Defence Linda Reynolds told ZDNet.
“This is a national problem that requires a truly collaborative national approach,” she said.
Earlier, the minister said the number of malicious texts had not increased significantly due to the coronavirus pandemic.
“What has changed is that cyber criminals are getting better at adopting their tradecraft,” Reynolds said.
“They are exploiting people’s concerns, and also their desire for information during COVID-19.”
Reynolds added the messages directed people to sites where malware could be installed and personal information is obtained.
Telstra in May unveiled its Cleaner Pipes program to fight malware passing through its network.
The initiative focuses on blocking command and control communications of botnets, the downloading of remote access trojans, as well as other forms of malware. The telco said at the time it was already blocking “millions of malware communications” when the traffic hits its infrastructure.
“This action reduces the impact of cyber threats on millions of Telstra’s customers including stopping the theft of personal data, financial losses, fraudulent activity and users’ computers being infected with malware. We know many consumers and small businesses do not have the resources to adequately protect themselves,” Penn said.
“Cleaner Pipes means we are able to more actively block cyber threats on our network that would compromise the safety of our customers’ personal information. While it will not completely eliminate the risk, or substitute appropriate threat protection, it will contribute to significantly reducing the volumes and impact.”
Should Telstra customers click on a blocked link, they will be presented with a block page. The telco also said in May it had been trialling Cleaner Pipes for a year, and this had sat alongside its efforts to block malicious SMS and scam calls. Telstra said it blocks over half a million scam calls each month.
In July, a Penn-chaired industry advisory panel recommended in its report that ACSC be able to “disrupt cyber criminals on the Dark Web and to target the proceeds of cybercrime” and hold malicious actors accountable through law enforcement, diplomacy, or even economic sanctions.
“The Australian government should openly describe and advocate the actions it may take in response to a serious cybersecurity incident to deter malicious cyber actors from targeting Australia,” the report recommended.
The report also called for “larger, more capable” government departments to help out the cyber defences of smaller agencies.
Related Coverage More

Image: Sydney Rae

The Department of Veterans Affairs (VA) has disclosed today a security breach during which the personal information of around 46,000 veterans was obtained by a malicious third-party.
Officials said the breach took place after “unauthorized users” accessed an online application managed by the VA Financial Services Center (FSC).
The VA said the hackers used “social engineering techniques” and exploited the “authentication protocol” to gain access to the FSC app and then divert VA payments intended for healthcare providers for the­ medical treatment of US veterans.
While officials are still investigating the incident, the VA believes that the hackers might have also accessed veteran records, including Social Security numbers.
“To protect these Veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information,” the VA said in a press release on Monday. “The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.”
To prevent further intrusions and possible payment order hijacks, VA officials said they took down the compromised FSC app and do not intend to bring it back up until after a “comprehensive security review.”
This is the second security breach announced by the VA in its history. The first one took place in 2006 when an unknown party stole a laptop and an external hard drive containing the personal records of 26 million veterans during an employee’s house robbery. A subsequent Inspector General report found the VA guilty for acting “with indifference and little sense of urgency” after the loss of the computer hardware. More

More than 2,000 Magento online stores have been hacked over the weekend in what security researchers have described as the “largest campaign ever.”
The attacks were a typical Magecart scheme where hackers breached sites and then planted malicious scripts inside the stores’ source code, code that logged payment card details that shoppers entered inside checkout forms.
“On Friday, 10 stores got infected, then 1,058 on Saturday, 603 on Sunday and 233 today,” said Willem de Groot, founder of Sanguine Security (SanSec), a Dutch cyber-security firm specialized in tracking Magecart attacks.
“This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015,” de Groot added. “The previous record was 962 hacked stores in a single day in July last year.”
Most stores were running an EOL version
The SanSec exec said that most of the compromised sites were running version 1.x of the Magento online store software.
This Magento version reached end-of-life (EOL) on June 30, 2020, and is currently not receiving security updates anymore.
Ironically, attacks against sites running the now-deprecated Magento 1.x software were anticipated since last year when Adobe — which owns Magento — issued the first alert in November 2019 about store owners needing to update to the 2.x branch.
Adobe’s initial warning about impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa over the spring.
In our coverage of the Mastercard and Visa alerts, several experts in the web security community told this reporter that new Magento 1.x vulnerabilities hadn’t been spotted in a while, which was uncharacteristic, as the 1.x branch was old and was riddled with security holes.
At the time, those security experts believed that hackers were intentionally sitting on their Magento 1.x exploits and waiting for the EOL to come around, to make sure Adobe wouldn’t patch their bugs.
It seems those experts were right.
While de Groot hasn’t yet identified how hackers broke into the sites that have been targeted over the weekend, the SanSec founder said that ads for a Magento 1.x zero-day vulnerability had been posted on underground hacking forums last month, confirming that hackers had waited for the EOL to come around.
In the ad, a user going by the name of z3r0day offered to sell a remote code execution (RCE) exploit for $5,000, an offer that was deemed credible at the time.

Image: SanSec
The good news is that since November 2019, when Adobe started urging Magento owners to migrate to the newer branch, the number of Magento 1.x stores has gone down from 240,000 to 110,000 in June 2020, and to 95,000 today.
The pace is slow, but it’s believed that many of the stores that haven’t been updated are most likely abandoned and have very low user traffic. Nonetheless, some high-trafficked sites are still running the 1.x branch and relying on web application firewalls (WAFs) to stop attacks.
That’s a risky strategy that, while it may be PCI compliant, may not be a smart decision in the long run.
In related news, Adobe also announced last week that it partnered with SanSec to integrate the security firm’s database of more than 9,000 Magento malware signatures into the Magento backend, as part of the Security Scan tool. More

The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses.
Credential stuffing is a relatively new term in the cyber-security industry.
It refers to a type of automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services.
These attacks aim to identify accounts where users reused passwords and then gain unauthorized access over the user’s profile and attached resources.
Credential stuffing attacks weren’t always an issue, but they became one in the late 2010s after hackers leaked billions of usernames and password combinations from hundreds of companies over the past five years.

Slowly, hackers began collecting these leaked credentials and trying them against various online services. At first, they targeted online gaming and food-ordering accounts, but as the tactic proved to be more and more successful, more professional hacking groups switched to targeting accounts at online banking services and cryptocurrency exchanges, aiming to steal financial assets.
Credential stuffing is now a major problem for banks
According to an FBI security advisory obtained by ZDNet today, credential stuffing attacks have increased in recent years and have now become a major problem for financial organizations.
“Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises,” the FBI said.
“The victims included banks, financial services providers, insurance companies, and investment firms.”
FBI officials said that many of these attacks targeted application programming interfaces (APIs) since these systems are “less likely to require multi-factor authentication (MFA)” and are less monitored than user-facing login systems.
The FBI also noted that some credential stuffing attacks have been so massive, with authentication requests packed together without cool-out periods, that they brought down authentication systems at some financial organizations, with some targets believing they were being DDOSed and not under a credential stuffing attack — incidents that the F5 Networks cyber-security unit also reported last year.
Credential stuffing attacks also didn’t target just user profiles, the FBI said, but they also targeted employee accounts, with the attackers aiming to access high-privileged accounts as well.
Some of these attacks failed, but others also succeeded and led to multi-million dollar losses at some organizations over the past year.
According to the FBI, recent major incidents included:
In July 2020, a mid-sized US financial institution reported its Internet banking platform had experienced a “constant barrage” of login attempts with various credential pairs, which it believed was indicative of the use of bots. Between January and August 2020, unidentified actors used aggregation software to link actor-controlled accounts to client accounts belonging to the same institution, resulting in more than $3.5 million in fraudulent check withdrawals and ACH transfers. However, reporting does not indicate whether the increased logins and fraudulent transactions could be attributed to the same actor(s).
Between June 2019 and January 2020, a NY-based investment firm and an international money transfer platform experienced credential stuffing attacks against their mobile APIs, according to a credible financial source. Although neither entity reported any fraud, one of the attacks resulted in an extended system outage that prevented the collection of nearly $2 million in revenue.
Between June and November 2019, a small group of cyber criminals targeted a financial services institution and three of its clients, resulting in the compromise of more than 4,000 online banking accounts, according to a credible financial source. The cyber criminals then used bill payment services to submit fraudulent payments—about $40,000 in total—to themselves, which they then wired to foreign banking accounts. According to a 2020 case study on one of the firms, security researchers identified more than 1,500 email addresses and 6,000 passwords exposed in more than 80 data breaches. Some of the credentials belonged to company leadership, system administrators, and other employees with privileged access.
The FBI security advisory, which you can read in full here, warns financial institutions to take protective measures about the ever-growing threat of credential stuffing.
The alert includes basic detection strategies and mitigation advice that can be universally applied across all sectors, and not just for companies active in the financial vertical. More

The Cybersecurity and Infrastructure Security Agency (CISA) has published a security advisory today warning of a wave of attacks carried out by hacking groups affiliated with China’s Ministry of State Security (MSS).
CISA says that over the past year, Chinese hackers have scanned US government networks for the presence of popular networking devices and then used exploits for recently disclosed vulnerabilities to gain a foothold on sensitive networks.
The list of targeted devices includes F5 Big-IP load balancers, Citrix and Pulse Secure VPN appliances, and Microsoft Exchange email servers.
For each of these devices, major vulnerabilities have been publicly disclosed over the past 12 months, such as CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688, respectively.
According to a table summarizing Chinese activity targeting these devices published by CISA today, some attacks have been successful and enabled Chinese hackers to gain a foothold on federal networks.

Iranian hackers are also targeting these systems
These attacks aren’t new, per-se. ZDNet reported last year that Chinese state hackers had targeted Pulse Secure and Fortinet VPN servers less than a month after the vulnerabilities became public.
In addition, Chinese hackers aren’t the only ones targeting these particular networking appliances. The devices listed above have also been targeted by Iranian state actors, according to a report from the private cyber-security sector and a cyber-security alert published by the FBI last month.
One Iranian group has mass-compromised these types of devices and then provided access to fellow Iranian groups, allowing them to select the networks they wanted to compromise for intelligence gathering operations. The compromised devices that were not selected were later put up for sale on underground hacking forums, according to a Crowdstrike report.
Other forms of attacks also detected
The CISA alert warns the US private sector and government agencies to patch F5, Citrix, Pulse Secure, and Microsoft Exchange devices. However, the alert also warns that Chinese hackers are employing a wide spectrum of other intrusion methods.
These also include the use of spear-phishing emails — a classic attack employed by Chinese state actors — and the use of brute-force attacks leveraging weak or default credentials.
Once Chinese hackers are inside targeted networks, they also often deploy commercial and open-source tools to move laterally across networks and exfiltrate data. This includes the use of legitimate penetration-testing tools like Cobalt Strike and Mimikatz.
When attacks target public-facing web systems, such as VPNs, web and email servers, CISA said it often spotted Chinese state hackers deploying the China Chopper web shell, a common tool they’ve used for almost a decade.
CISA officials recommend that security teams in private companies and private sector and government agencies read its report, take notice of the common tactics, techniques, and procedures (TTPs) used by Chinese state actors, patch devices and deploy detection rules accordingly. More

Unbeknownst to many, last month Microsoft patched one of the most severe bugs ever reported to the company, an issue that could be abused to easily take over Windows Servers running as domain controllers in enterprise networks.
The bug was patched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers.
The vulnerability received the maximum severity rating of 10, but details were never made public, meaning users and IT administrators never knew how dangerous the issue really was.
Take over a domain controller with a bunch of zeros
But in a blog post today, the team at Secura B.V., a Dutch security firm, has finally lifted the veil from this mysterious bug and published a technical report describing CVE-2020-1472 in greater depth.
And per the report, the bug is truly worthy of its 10/10 CVSSv3 severity score.
According to Secura experts, the bug, which they named Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.
This bug allows an attacker to manipulate Netlogon authentication procedures and:
impersonate the identity of any computer on a network when trying to authenticate against the domain controller
disable security features in the Netlogon authentication process
change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords)
The gist, and the reason why the bug has been named Zerologon, is that the attack is done by adding zero characters in certain Netlogon authentication parameters (see graph below).

Image: Secura
The entire attack is very fast and can last up to three seconds, at most. In addition, there are no limits to how an attacker can use the Zerologon attack. For example, the attacker could also pose as the domain controller itself and change its password, allowing the hacker to take over the entire corporate network.
Take over a corporate network in three seconds
There are limitations to how a Zerologon attack can be used. For starters, it cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network.
However, when this condition is met, it’s literally game over for the attacked company. 
“This attack has a huge impact,” the Secura team said. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
Furthermore, this bug is also a boon for malware and ransomware gangs, which often rely on infecting one computer inside a company’s network and then spreading to multiple others. With Zerologon, this task has been considerably simplified.
Patches available; more to come
But patching Zerologon was no easy task for Microsoft, as the company had to modify how billions of devices are connecting to corporate networks, effectively disrupting the operations of countless of companies.
This patching process is scheduled to take place over two phases. The first one took place last month, when Microsoft released a temporary fix for the Zerologon attack.
This temporary patch made the Netlogon security features (that Zerologon was disabling) mandatory for all Netlogon authentications, effectively breaking Zerologon attacks.
Nonetheless, a more complete patch is scheduled for February 2021, just in case attackers find a way around the August patches. Unfortunately, Microsoft anticipates that this later patch will end up breaking authentication on some devices. Some details about this second patch have been described here.
Attacks using Zerologon are a given, primarily due to the bug’s severity, wide impact, and benefits for attackers.
Secura has not released proof-of-concept code for a weaponized Zerologon attack, but the company expects that these will eventually surface after its report spreads online today.
In the meantime, the company has released a Python script instead, a script that can tell administrators if their domain controller has been patched correctly.
Updated at 5:00 PM ET to add that, as expected, weaponized proof-of-concept code has been made publicly available, which means the exploitation window for this vulnerability is now open. More

Plan for your organisation to become the victim of a ransomware or malware attack, even if you think it’s extremely unlikely you’ll be targeted because having an incident response plan will greatly reduce the impact if the worst happens.
The advice is part of the National Cyber Security Centre’s (NCSC) updated guidance on mitigating malware and ransomware attacks under a new section on preparing for an incident. The guidance has been updated because of what the NCSC describes as “a growing threat from ransomware attacks”.
One of the key pieces of advice is to plan for an attack on your systems even if you think it’s unlikely, because as the agency notes, there are many organisations which have been impacted by malware as collateral damage, even when they weren’t the intended target.
For example, both the WannaCry and NotPetya cyber attacks caused damage to organisations around the world who weren’t specifically being targeted by hackers.
To ensure that an organisation is as prepared for an attack as possible, the first thing they should do is identity their critical assets and what the impact would be if they were disrupted by a malware attack – then develop and incident response plan which accounts for what should happen if there is an attack.
The NCSC says that a well planned and executed response will help to minimise the damage caused by a cyber attack and could result in anything from restricting the amount of data lost to being able to minimise public fallout after falling victim to an incident.
The incident response plan should also be tested thoroughly to help clarify the roles and responsibilities of both staff and third parties and how to go about a system recovery if the network is taken out.
SEE: Security Awareness and Training policy (TechRepublic Premium)
For example, in the event of ransomware shutting down the network, an organisation should already know how long it would take to restore minimum functionality to the network, what processes need to be followed to restore servers and files from backups and how critical business services can still operate while the incident is ongoing.
The guidance also suggests that organisations should have plans in place so that if they do fall victim to a ransomware attack, they already know how they’d respond to a ransom demand and the threat of data being published as part of the extortion scheme.
This advice on being prepared for an incident is in addition to previous advice from the NCSC, which urges organisations to make regular backups, and prevent malware being delivered to devices and stopping malware from being able to run, for example, by limiting permissions which aren’t needed. Organisations are also urged to install security updates as and when they arrive.
The latest guidelines are based on the NCSC’s own experience of helping organisations resolve incidents over the course of this year.
“With each incident the NCSC manages, we continue to learn. We learn about how criminals compromise networks, how they deploy malware, and the mitigations that – if in place – would have prevented the attack,” said the NCSC blog post.
“Knowledge like this, which we acquire from the ‘cyber frontline’, is invaluable and informs the guidance we publish. This is why we’ve updated the mitigating malware and ransomware guidance; to ensure that it reflects the changing nature of the incidents we are dealing with”.
To help organisations manage their incident response strategy, the NCSC recommends it
s free Exercise in a Box online tool which contains materials for setting up, planning, delivery, and post-exercise activity – many of which are based on data from real cyber attacks.
READ MORE ON CYBERSECURITY More

On Tuesday, I’ll be joining CBS Interactive’s Michael Steinhart and Netenrich’s Brandon Hoffman in what promises to be a fascinating webcast about attack surface intelligence. While preparing for my part of the session, I came upon a bunch of unsettling statistics about how cybercrime and cyberattacks have gotten worse since the beginning of the COVID-19 pandemic.
Join me:
And since we can’t be in the same room together anymore, I figured the next most neighborly thing I could do is share the pain. So let’s dive in together. You might want to take a few Tums before you do. Your stomach acid level will thank me.
1. The number of unsecured remote desktop machines rose by more than 40%
As you might expect with so many new remote workers, there’s been a huge surge in the number of remote desktop connections from home to work (or the cloud). According to Channel Futures citing a Webroot study, there’s been over a 40% surge in machines running RDP (remote desktop protocol).
The issue with unsecured machines is that criminals can use brute force attacks to gain access to a desktop machine. And once on the network with a desktop machine… badness happens.
2. RDP brute-force attacks grew 400% in March and April alone
According to Catalin Cimpanu here on ZDNet, cybersecurity firm Kaspersky released a report in April showing a huge jump in RDP (remote desktop protocol) attacks.
All these new remote desktop connections create a target-rich environment. But here’s the thing: What happens when you rush to spin up a ton of services almost overnight? Mistakes are made. That’s one reason why so many remote desktops are not secure.
And what happens when you have unsecured systems? A 400% boost in brute-force attacks. Yay, humanity!
3. Email scams related to COVID-19 surged 667% in March alone
According to Barracuda Networks, the number of phishing scams related to COVID-19 exploded in March. It probably continued in April and beyond, but we only have March data right now.

These scams work the same as normal phishing scams, trying to separate users from credentials. The only difference is that the emails are using the pandemic to try to push a new set of psychological hot buttons.
Because of so much rushed digital transformation, people are now accepting emails that might not look as formal or professional as before pandemic. And they click on those messages or log into those real-looking sites.
4. Users are now three times more likely to click on pandemic-related phishing scams
Let’s add a bonus statistic, courtesy of the Verizon Business 2020 Data Breach Investigations Report. Even prior to the pandemic, credential theft and phishing were at the heart of more than 67% of breaches.
In a test performed in late March, researchers found that users are three times more likely to click on a phishing link and then enter their credentials than they were pre-COVID. Of course, it doesn’t hurt that those phishing emails often used words like “COVID” or “coronavirus, “masks”, “test”, “quarantine” and “vaccine.”
5. Billions of COVID-19 pages on the Internet
About three weeks ago, I did a Google search on the phrase “COVID-19” and got 6.1 million search results. Today, the same query yielded 4.8 billion results. Clearly, it’s a topic on top-of-mind for many of us. It’s also top-of-mind for scammers, because…
6. Tens of thousands of new coronavirus-related domains are being created daily
ZDNet has been tracking the rise in coronavirus-themed domains and has found that tens of thousands of new unique coronavirus-themed domains are being created on a daily basis.
7. 90% of newly created coronavirus domains are scammy
How many of these sites are legitimate? According to the same ZDNet research performed by Catalin, “in nine out of ten cases, we found a scam site peddling fake cures, or private sites, most likely used for malware distribution only to users with a specific referral header.”
8. More than 530,000 Zoom accounts sold on dark web
Just as there has been a rise in remote work and remote desktop, there has been an unprecedented rise in desktop video conferencing, mostly using Zoom. While Zoom has had some security issues, and we’ve seen the rise of a new practice called “Zoom bombing,” the site Bleeping Computer reports it found more than half a million Zoom credentials for sale – at roughly a penny a login ID.
9. 2000% increase in malicious files with “zoom” in name
And while we’re on the topic of Zoom, Webroot (via Channel Futures) reports that it’s seeing a 2,000% rise in malicious files containing the string “zoom.” Just for the heck of it, I typed the word “zoom” into Google and got 1.9 billion results. To be fair, zoom is a real word. That said, the Google Trends chart below shows how there was barely any interest in “zoom” until around March when “zoom” interest zoomed into the stratosphere.
Google Trends
10. COVID-19 drives 72% to 105% ransomware spike
According to the Skybox Security 2020 Vulnerability and Threat Trends Report, ransomware samples (captured malicious files and code) have shot up 72% since the beginning of the pandemic. If you want even more worrisome numbers, look no further than SonicWall’s 2020 Cyberthreat report, which sees a 105% spike.
The samples are not necessarily coronavirus-related, but it’s a huge jump in a very short period of time that corresponds with our current troubles. That said, the SonicWall report indicates, “While it’s impossible to determine causation, a strong correlation can be found in the ransomware graph and the patterns of COVID-19 infections.” Because, of course it can.

But wait, there’s more

Although these items didn’t fit nicely into little statistics, we’ve noticed more coronavirus-related scams and problems, including ransomware on fake contact tracing apps, COVID-19 malware that will wipe your PC and blast your master boot record, and the totally unsurprising story that the Russians are meddling with western scientific coronavirus vaccine research. You know what they say: Putins will be Putins.
Stay tuned to ZDNet’s Zero Day column for ongoing coverage of security threat issues. And feel free to join me tomorrow, September 15 in Get ahead of an attack: What weaknesses do hackers see in your network? at 2:00 pm ET / 11:00 am PT / 18:00 GMT. It’s free and should be quite informative.
I’d like to end this on an upbeat note and tell you something positive about malware trends or even the coronavirus. Since I can’t, I’ll just tell you something personally uplifting: there’s still time tonight for me to have another cup of coffee. It’s not big, but these days, we’ve got to acknowledge and embrace the small pleasures. Mine will be another hot cup ‘o Joe warming my cozy hands, in about five minutes.
Do you have any thoughts to share about coronavirus-themed malware? What about coffee? I’m always open to a good coffee discussion. Either way, share in the comments below.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More