Information Technology

Data of 553 million Facebook users including phone numbers, Facebook IDs, full names, birth dates and other information have been posted online. The data dump was Tweeted by Alon Gal, CTO of security firm Hudson Rock. Gal posted a list of affected users by country. According to his list, the US had 32.3 million affected users and UK had 11.5 million. The data was accessed via a Telegram bot. Other data points in the posting included gender, location and job status. Catalin Cimpanu, at The Record, also reported that he reviewed samples of the leaked data. The data is reportedly broken up into download packages by country. With the Facebook data out in the public it’s safe to expect it to be used for cybercrime.  Also: More

Organisations have had to adapt quickly to the realities of staff working remotely and that has come with a number of challenges, particularly surrounding cybersecurity.Businesses that previously relied on employees using work-issued computers and being protected behind a corporate firewall have had to deal with staff using their personal devices and their home internet connection.

And with indications that many organisations believe that, post-pandemic, we will see a switch to a hybrid model with a balance between working at the office and working from home, it’s important that employees are equipped with the right training and tools to keep business data and networks secure against cyberattacks.SEE: Network security policy (TechRepublic Premium)Account hijacking is one of the most common means for cyber criminals to gain access to corporate networks. These attacks can involve phishing emails that attempt to trick victims into handing over their username and password, providing criminals with login credentials they can use to gain access to accounts and the wider network.But sometimes, there isn’t even the need for attackers to use phishing emails, with brute force attacks enough to breach accounts. These are attacks involve the automated submission of common or simple passwords against accounts, in the hope that accounts are secured with common, weak passwords that are easily breached.People are often told that they should secure their accounts with long, complex passwords – but they can be difficult to remember, especially if people have many accounts. That can lead to password re-use, the use of simple passwords – or both.

“Human beings can’t remember more than four to five passwords, we get cognitive overload. That’s the way our brains are wired, it is difficult for us to remember passwords, so we can’t just keep loading on different passwords that are increasingly complex and expect people to remember them,” says Daisy McCartney, cybersecurity culture and behaviour lead at PwC UK.So while telling people to use, lengthy, complex passwords is good cybersecurity practice, it’s just not possible for people to remember many different passwords for many different accounts – something that can lead to using weak passwords that cyber attackers can exploit.

One answer to this is for organisations to issue employees with a password manager – software that manages passwords for users, allowing them to use complex passwords for every different account without needing to remember them each time they login. Another tool that can be used to keep corporate accounts of remote workers secure is two-factor authentication. This requires additional verification to log into an account, commonly in the form of an an alert on an app. This pops up when there’s an attempt to login to the account and the user will gain access after confirming the login attempt was legitimate.Two-factor authentication provides an extra layer of defence for accounts – and their users – because it prevents cyber attackers being able to gain access even if they’ve hacked or stolen the correct credentials because they also need access to the second element of the authentication, too. Such is the extent of that protection, Microsoft says two-factor authentication prevents 99.9% of attempted attacks, so all businesses that have remote – and non-remote – workers should apply it for additional cybersecurity.One of the big changes the move towards remote working has brought about is removing employees from the protection of the corporate firewall. Working from inside the office provides people with anti-virus and other protections that can help to filter out some attacks.SEE: Phishing: These are the most common techniques used to attack your PCNow, instead of this, many people are working from their own computer from their homes, where they may not have anti-virus at all – and their home router won’t provide a robust defence against attackers like a corporate firewall would.Criminals know this and are looking to take advantage with cyberattacks, especially when people – rushed off their feet while balancing working from home with the rest of their life – might unintentionally click on a phishing link or respond to a request that appears to come from a colleague but is actually a cyber criminal. “Humans are are ultimately fallible. Unfortunately it’s the organic matter behind the keyboard, which is often the vulnerable part of the loop,” says Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security.A VPN – short for Virtual Private Network – provides a protected network connection for remote connections, to the extent that even an ISP provider can’t see what websites are visited or what data is sent. It ultimately acts as something of a corporate firewall for while the employee is working remotely.And by providing remote workers with access to a corporate VPN, not only does it help keep data and communications secure, an organisation can also configure it so that while the VPN is active, action can be taken to prevent potentially dangerous activity, such as visiting phishing pages and other malicious websites.But it isn’t fair to put all of the responsibility of staying secure on employees. Enterprise IT and information security departments must continue to play a role in helping the organisation stay safe.For example, if an employee is suddenly logging in from a strange location or at a strange time and then they’re attempting to access parts of the network that usually aren’t of interest to them, that could indicate suspicious activity that needs to be investigated or blocked.”We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong,” says Hunt.SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)For many people, the last year was the first time they’d had to work from home and it hasn’t been an easy transition, especially when it happened so quickly, under the pressures of a global pandemic. “Navigating this really complex topic can be quite scary for people, we need to help them not feel so fearful about it,” says McCartney.There are also other steps that businesses can take to protect their data. They can make sure that data is encrypted on laptops or other devices so that, if they are lost or stolen, the information is not accessible. On laptops this may simply be a case of enabling encryption; on smartphones it may be a case of introducing some form of mobile device-management software to protect the whole device or the business data on a personal device. Getting staff to use cloud services to store data may be more secure than using USB devices (which can be an easy route to delivering malware to laptops).Without the right tools and training to help them stay secure, employees may not be confident about keeping secure – but with the right help and support from an employer, it’s possible to adapt to remote work while also keeping safe from cyber threats.MORE ON CYBERSECURITY More

Sit me down and ask me to tell you what I think is wrong with the iPhone, and I’ll rattle off a long list. A really long list.

But there’s one thing that Apple has that’s spot on — and that’s delivering patches to older handsets. A very serious vulnerability was discovered recently that affected the iPhone and iPad (along with the Apple Watch and iPod touch). Apple quickly pushed out a patch, not only for the current iOS 14 release, but also for older devices stuck on iOS 12. Devices getting the update include the iPhone 5s, iPad Air, and iPod touch (6th generation). That’s support going back to September 2013. Devices stuck on iOS 12 have seen a number of updates over the past year, including security updates and also the framework for COVID-19 exposure notifications.

And that’s very impressive. Apple did not update iOS 13 because devices running this version are all able to update to iOS 14 (iPhone 6s and later). However, if I have one complaint here, I wish Apple had released a specific patch for iOS 13 users (as it did with iOS 13.7 in order to bring COVID-19 exposure notifications to the platform). According to Apple, some 12% of devices in use run iOS 13, with another 8% running iOS 12 or earlier. If you’re running iOS 13, I strongly recommend updating, as the risk is real running an unsupported platform, especially if you keep important data on the device or use it for financial transactions.

ZDNet Recommends More

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed US government agencies with on-premise Exchange systems to run Microsoft malware scanners and report results by April 5. CISA issued supplementary direction to its “ED 21-02” directive; the new request applies to any federal agency that had an Exchange server connected directly or indirectly to the internet at any point since January 1, 2021. 

Exchange attacks

The move follows the discovery of software flaws in on-premise versions of Microsoft Exchange Server being exploited by attackers. Exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.SEE: Network security policy (TechRepublic Premium)The new CISA orders are aimed at ensuring agencies use newly developed Microsoft tools to identify any compromises that remain undetected. They need to be followed even if all steps in the earlier directive were completed. “Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening,” CISA says in the supplement. “By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template,” it notes. 

The Microsoft scanner can use up a lot of a server’s processing capacity, so CISA recommends running the scan during off-peak hours.The other tool agencies are instructed to run is the Test-ProxyLogon.ps1 script, which Microsoft released in mid-March. The script can be run as administrator to check Exchange and IIS logs to discover signs of attacker activity, such as files written to the server and the presence of web shell scripts used for persistence. “This script checks targeted exchange servers for signs of the proxy logon compromise described in CVE-2021-26855, 26857, 26858, and 27065,” CISA explains. CISA also issued hardening instructions for Exchange servers including applying software updates, ensuring that only a supported version of Exchange is being used, and to review permissions and roles. The hardening requirements need to be complete by Monday, June 28, 2021.”Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors,” CISA warns. Agencies need to “enumerate accounts and groups that are leveraged by Exchange installations and review their permissions and roles.” They will also need to review membership in highly privileged groups such as Administrators, Remote Desktop Users, and Enterprise Admins” and “review sensitive roles such as Mailbox Import Export and Organization Management (e.g. using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell). Agencies must “ensure that no account on an Exchange server is a member of the Domain Admin group in Active Directory”. Finally, they must prevent the accounts that manage on-premises Exchange from having administrative permissions in any Microsoft Office 365 environment. More

Boardrooms still aren’t taking cybersecurity seriously, leaving organisations vulnerable to cyberattacks – with executives only paying attention after things have gone bad, according to the new National Cyber Security Centre (NCSC) boss Lindy Cameron.”I think in terms of what we want organisations to learn, it is that this is the kind of threat they need to think about. This is the kind of thing that should be as much a regular feature in risk conversations in board rooms as legal risk or financial risk – the CEO see the CISO as often as they see the financial director,” Cameron said. She said it should not be a simply a technical conversation with the IT department, but the kind of conversation that’s held in the boardroom itself.”I want organisations to learn how serious the impact can be when this goes wrong,” Cameron said. And even if an organisation thinks it has a plan in place, things can still go wrong if some basic elements aren’t taken care of.

“I’ve talked to organisations which have walked in on Monday mornings to find they can’t turn on their computers or phones, the backup plan was not printed out so they couldn’t find a phone number,” Cameron said.SEE: Security Awareness and Training policy (TechRepublic Premium)Organisations that fall victim to a cyberattack will often use it to re-prioritise their security strategy.”There’s no doubt that organisations that have experienced that have a much more visceral sense of what it feels like to experience a ransomware attack or cyberattack, and therefore they’re prepared better for that,” Cameron added.

The NCSC offers tools like Exercise-in-a-Box and cybersecurity guidance for boardrooms to help organisations think about cyberattacks. Exercise-in-a-Box, for example, allows organisations to test their network defences against real cyberattack scenarios and take lessons on how to improve their security from that.Meanwhile, boardrooms should be involved when it comes to contingency planning against cyberattacks – they’re more likely to understand the potential threats if they’re discussed not as a technical problem, but a problem with risk, in a similar way to how they’d consider financial risk or legal risk.”It’s the same as any sensible contingency planning. It’s worth thinking through what’s the worst possible scenario, what’s the thing that could go wrong that you need to manage,” she added.SEE: Ransomware: Why we’re now facing a perfect stormThat worst possible scenario depends on the organisation; it could be a data breach, it could be an interruption of services, or it could be disruption to cyber-physical systems. But the important thing is for organisations to think about the cyber risks out there and to have a plan to defend and mitigate against them – and if that happens, hands-on aid from the likes of NCSC won’t be necessary, because solid cybersecurity strategies are in place.”Ideally, more and more instances are handled well and handled without additional help,” said Cameron. MORE ON CYBERSECURITY More

An administrator for the DeepDotWeb (DDW) portal has pleaded guilty to receiving kickbacks for connecting buyers and sellers of illegal goods in the dark web. 

On Wednesday, the US Department of Justice (DoJ) said that Tal Prihar, a 37-year-old Israeli citizen living in Brazil, has admitted to operating DDW alongside co-owner Michael Phan since 2013.DDW, which was seized by law enforcement in 2019, was a portal for news and events surrounding the dark web. However, according to US prosecutors, the co-owners of the domain also received kickbacks for connecting buyers and sellers of illegal products.  The DoJ claims that Phan and Prihar earned themselves over $8 million for providing direct links to marketplaces selling products including firearms, heroin, fentanyl, malware, and stolen data record dumps. The referral links included listings for AlphaBay, Agora, Abraxas, Dream, and Valhalla. These websites are not indexed on the clear web or by typical search engines. DDW was one of a number of resources that provided lists of active underground marketplaces, together with their hidden link addresses that were accessible via the Tor network. To hide the kickbacks, which totaled roughly 8,155 Bitcoins (BTC), Prihar laundered the funds through cryptocurrency wallets and bank accounts registered in the name of shell companies.  Prihar has agreed to forfeit $8,414,173. The former website administrator has pleaded guilty to conspiracy to commit money laundering and he faces a maximum penalty of up to 20 years behind bars. 

Sentencing is due to occur on August 2. Phan faces the same charge.”Tal Prihar served as a broker for illegal Darknet marketplaces — helping such marketplaces find customers for fentanyl, firearms, and other dangerous contraband — and profited from the illegal business that ensued,” commented Acting Assistant Attorney General Nicholas McQuaid of the DoJ’s Criminal Division. “This prosecution, seizure of the broker website, and forfeiture send a clear message that we are not only prosecuting the administrators of Darknet marketplaces offering illegal goods and services, but we will also bring to justice those that aim to facilitate and profit from them.” In September, US law enforcement, together with Europol and other agencies, launched a coordinated takedown of illegal dark web vendors leading to 179 arrests. Dubbed “DisrupTor,” the operation also included the seizure of over $6.5 million and approximately 500kg in drugs such as fentanyl, heroin, cocaine, and ecstasy.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A North Korean hacking group known to have targeted security researchers in the past has now upped its game through the creation of a fake offensive security firm. 

The threat actors, believed to be state-sponsored and backed by North Korea’s ruling party, were first documented by Google’s Threat Analysis Group (TAG) in January 2021. Google TAG, specialists in tracking advanced persistent threat (APT) groups, said at the time that the North Korean cyberattackers had established a web of fake profiles across social media, including Twitter, Keybase, and LinkedIn.  “In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” Google said. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control.” When members of the group reached out to their targets, they would ask if their intended victim wanted to collaborate on cybersecurity research — before sending them a malicious Visual Studio project containing a backdoor. Alternatively, they may ask researchers to visit a blog laden with malicious code including browser exploits.  In an update posted on March 31, TAG’s Adam Weidemann said that the state-sponsored group has now changed tactics by creating a fake offensive security company, complete with new social media profiles and a branded website.  The fake company, dubbed “SecuriElite,” was set up on March 17 as securielite[.]com. SecuriElite claims to be based in Turkey and offers penetration testing services, software security assessments, and exploits. 

A link to a PGP public key has been added to the website. While the inclusion of PGP is standard practice as an option for secure communication, the group has used these links in the past as a means to lure their targets into visiting a page where a browser-based exploit is waiting to deploy.  In addition, the SecuriElite ‘team’ has been furnished with a fresh set of fake social media profiles. The threat actors are posing as fellow security researchers, recruiters for cybersecurity firms, and in one case, the HR director of “Trend Macro” — not to be confused with the legitimate company Trend Micro.  Google’s team linked the North Korean group with the usage of Internet Explorer zero-day back in January. The company believes that it is likely they have access to more exploits and will continue to use them in the future against legitimate security researchers.  “We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Google says. “At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Gaming mods and cheat engines are being weaponized to target gamers in new malware campaigns. 

On Wednesday, researchers from Cisco Talos said the gaming tools are being used to deploy a cryptor — code designed to prevent reverse-engineering or analysis — for a variety of malware strains, the majority of which appear to be Remote Access Trojans (RATs).  The attack wave is focused on compromising the systems of gamers and modders. The initial attack vector begins with malvertising — adverts that lead to malicious websites or downloads — as well as YouTube how-to videos focused on game modding that link to malicious content.  There is already a vibrant marketplace for cheats and mods. Online gaming is now an industry worth millions of dollars — only propelled further with the emergence of competitive e-sports — and so some gamers will go so far as to purchase cheats to give them an edge.  Developers have upped their game, too, and will often upload their creations to VirusTotal to see if files are flagged as suspicious or malicious.  The risk in downloading system-modifying files is nothing new and the latest campaign only carries on the trend. Cheats, cheat engines, and mods have been found that contain cryptors able to hide RAT code and backdoors through multiple layers of obfuscation. Once a malicious mod or cheat has been downloaded and installed on a target machine, a dropper injects code into a new process to circumvent basic antivirus tools and detection algorithms. 

The malware is then able to execute. Samples tracked so far include the deployment of XtremeRAT, an information stealer that has been associated with spam campaigns and the deployment of Zeus variants. 
Cisco Talos
Cisco Talos notes that the cryptor uses Visual Basic 6, shellcode, and process injection techniques to make analysis difficult.  “As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees,” the researchers say. “Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More