Information Technology

Secureworks has acquired Delve to bring a new vulnerability management solution to the firm’s portfolio. 

Announced on Wednesday, Secureworks says the deal will “enrich Secureworks’ intelligence, further differentiate our end-to-end capabilities, and accelerate our transformation to deliver software with security at its core.”
The financial terms of the deal were not disclosed. 
Founded in 2014, Delve offers enterprise clients a vulnerability management platform based on artificial intelligence (AI) and machine learning (ML). 
See also: SugarCRM acquires Node, an AI-as-a-service company
With so many new vulnerabilities reported every day, security professionals and IT administrators face the challenge of working out what bugs are applicable to their businesses, and in what order fixes and patches should be applied based on severity and their potential impact. 
CNET: Security keys to thwart hackers are now easier to use on all your devices
Delve aims to tackle this by way of a Software-as-a-Service (SaaS) solution that applies AI and ML to vulnerability lists in order to sort security flaws into importance and context — including external factors — to assist users in their decision-making. 
Delve has offices in Montreal and New York City. Under the terms of the agreement, the automated vulnerability management platform, which also includes scanning and remediation planning tools, will become part of the Secureworks’ portfolio. 
TechRepublic: Backing up data is more important as people work from home during COVID-19
Technologies developed by the company will also be integrated into Secureworks’ Red Cloak and TDR threat detection platform and application.
“Together, we will expand customers’ access to the solutions and applications they need to make decisions that effectively defend their organizations against the most threatening adversaries,” commented Gabriel Tremblay, Delve CEO. 
The acquisition is expected to close in Q3 2020 subject to regulatory approval. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Media_Visuals

Security researchers from Slovak cyber-security firm ESET said today they discovered a very rare piece of Linux malware that targets Voice-over-IP (VoIP) telephony switches with the end goal of stealing call details metadata.
For the time being, researchers said they merely spotted the malware and analyzed its behavior, but aren’t 100% sure who developed it, and for what purpose.
Considered theories include that the malware, which they named CDRThief, could be used for cyber-espionage or for a type of telephony fraud scheme known as International Revenue Share Fraud (IRSF).
How CDRThief works
But regardless of the end goal, the general conclusion from the ESET team was that CDRThief was developed by a threat actor with deep knowledge of the VoIP landscape.
For starters, the malware only targets two VoIP softswitches running on Linux servers. VoIP softswitches are software programs that run on regular servers and are designed to route calls using software, rather than special hardware.
Second, CDRThief only targets two softswitches programs, namely the VOS2009 and VOS3000 systems from Chinese company Linknat.
“At the time of writing we do not know how the malware is deployed onto compromised devices,” Anton Cherepanov, one of ESET’s top malware hunters, wrote in an analysis today.
“We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past,” Cherepanov added.
However, once the malware has a foothold on a Linux server running Linknat VOS2009 or VOS3000, the malware searches for the Linknat configuration files and extracts credentials for the built-in MySQL database, where the softswitch stores call detail records (CDR, aka VoIP calls metadata).
“Interestingly, the password from the configuration file is stored encrypted,” Cherepanov pointed out.
“However, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key used in the Linknat code.”
After this step, Cherepanov says the malware connects to the MySQL database and runs SQL queries to gather CDR metadata, which is later uploaded to a remote server.
Attacks on telecoms not a rare sight
The ESET researcher said CDRThief is an extremely narrow piece of malware, built only for stealing VoIP call metadata, and nothing else. The malware doesn’t run shell commands or search and steals other files, at least in its current forms, meaning its creators and the people behind CDRThief attacks knew exactly what they wanted from each of their intrusions.
Furthermore, VoIP softswitches aren’t your regular type of software. They are usually installed on the networks of large telecommunications providers.
Over the past few years, incidents where hackers (usually state-sponsored groups) have targeted telecoms to steal information on traffic and voice calls have increased. This includes:
Operation Soft Cell: Chinese-linked hackers breached 10 telecoms and stole voice call metadata.
The A1 Telekom incident: A whistleblower revealed that Chinese hackers breached the internal network of Austria’s largest telecom provider and queried internal systems for “location, phone numbers and other customer data for certain private A1 customers.”
MessageTap malware: FireEye said it discovered malware specifically designed to Short Message Service Center (SMSC) servers, on a telco’s network, and steal data about SMS traffic. More

Facebook says that Irish regulators believe current user data exchange methods between the US and EU “cannot in practice be used,” leading to an inquiry into the data transfer practices employed by the company. 

The Irish Data Protection Commission (IDPC) is referring to Standard Contractual Clauses (SCCs), mechanisms designed to facilitate data transfers between the EU and non-EU countries. 
In Facebook’s case, SCCs are used to maintain transatlantic data flows including the exchange of EU user data. 
The Wall Street Journal reports that the IDPC sent a preliminary order to the social media giant last month to suspend the transfer of EU user data to the US.
See also: European court strikes down EU-US Privacy Shield user data exchange agreement as invalid
In a blog post penned by Nick Clegg, Facebook’s VP of Global Affairs and Communications on September 9, Clegg said that the IDPC has launched an inquiry into such data transfers and “suggested that SCCs cannot in practice be used for EU-US data transfers,” resulting in what could be a “far-reaching” impact on businesses. 
The EU-US Data Privacy Shield framework, established to enforce high protection standards when information is transferred out of EU borders, was the subject of a case brought to the Court of Justice of the European Union (CJEU) by Max Schrems.
The activist argued that the system could subject EU citizen data to abuse by US law enforcement, which is known to operate widespread surveillance programs. 
In July, the court deemed Privacy Shield as invalid due to GDPR standards, but SCCs — case-by-case data exchange systems that enforce “essential equivalence” to EU data protection standards — are still considered valid by the CJEU. 
Data controllers are required to maintain stringent data protection measures if they use SCCs and if they are found to be in breach, EU regulators have the power to suspend SCC programs.
CNET: Security keys to thwart hackers are now easier to use on all your devices
However, if Facebook complies with the Irish regulators’ stance on SCCs rather than the CJEU, without a way to legally exchange data between EU and US digital borders, the company claims economic damage will follow, and data-driven companies in Europe will also suffer when it comes to growth. 
“In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider,” Clegg says. “A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call center in Morocco.”
TechRepublic: Backing up data is more important as people work from home during COVID-19
The executive added that since the CJEU’s ruling in July, Facebook has been “working hard to follow the steps set out by the court to ensure that we can continue to transfer data in a safe and secure way.”
Facebook has created a European Data Protection Board task force to consider how best to apply the CJEU ruling, and both the EU Commission and the US Department of Commerce are in talks to create an “enhanced” EU-US Privacy Shield. 
Facebook says it will continue to comply with the CJEU ruling “until we receive further guidance.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Former National Security Agency director, general Keith Alexander, has joined Amazon’s board of directors. 
As first reported by The Verge, Amazon has revealed Alexander’s appointment in a new filing with the Securities and Exchange Commission. 

“Alexander served as the commander of US Cyber Command from May 2010 to March 2014 and was director of the National Security Agency and chief of the Central Security Service from August 2005 to March 2014,” Amazon states in the filing. 
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
He’s also co-CEO and president of IronNet Cybersecurity, a cybersecurity company he founded in 2014 after leaving the NSA. 
Alexander headed up the NSA at the time when former government contractor Edward Snowden leaked thousands of documents revealing the intelligence agency’s mass-surveillance programs, such as PRISM.
At Black Hat US 2013, Alexander defended NSA’s surveillance programs as critical to defending the US against terrorist attacks. 
As a former NSA chief with deep intelligence and defense connections, Alexander is likely to be useful in Amazon’s ongoing challenge to the Pentagon’s selection of Microsoft for its $10bn JEDI contract. 
The Department of Defense last week concluded its review of the decision and opted to uphold the award to Microsoft. 
Amazon last week said the Pentagon’s decision was “politically corrupted” by Defense Department officials who bowed to pressure from President Trump. The company also highlighted concerns over “a growing trend where defense officials act based on a desire to please the President, rather than do what’s right”.
Following a meeting Alexander had with President Trump in 2013, the former NSA chief said he was “really impressed” with Trump and that he was the “president our nation needs – somebody who is looking how to solve cybersecurity issues”.

With his deep intelligence and defense connections, ex-NSA chief Alexander is likely to be useful in Amazon’s challenge to the Pentagon’s choice of Microsoft for its $10bn JEDI contract. 
Image: CBS/YouTube More

Image: Equinix

Equinix, one of the world’s largest providers of on-demand colocation data centers, has disclosed today a security breach.
In a short statement published on its website, Equinix said it found ransomware on its internal systems, but that the main core of its customer-facing services remained unaffected.
“Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers,” the company said.
There is no suggestion that the company is downplaying the incident, with no major outages being reported at the time of writing, and no wave of customer complaints flooding social media.
“Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix,” the company added.
Details about the ins and outs of the attack are not available, with Equinix citing an ongoing investigation.
Equinix is just the latest in a long list of ransomware incidents that have impacted web hosting and data center providers. The list also includes CyrusOne, Cognizant, A2 Hosting, SmarterASP.NET, Dataresolution.net,  and Internet Nayana.
Such companies are ripe targets for cyber-criminals, and especially for ransomware gangs. The reasons are simple and involve the immediate effect of their attacks, which often bring down services for impacted companies, but also for their respective customers, all of whom are expecting near-perfect uptime.
This usually puts the pressure on the data center or web hosting provider to restore services right away, which may sometime include paying huge ransom demands.
Equinix is listed on the NASDAQ stock exchange as EQIX and had around 8,000 employees. Earlier this year, Equinix entered into an agreement to purchase a portfolio of 13 data center sites, representing 25 data centers across Canada from BCE Inc. for approximately $750 million. More

Image: Group-IB

Since the start of the year, a new ransomware gang named ProLock has made a name for itself by hacking into large companies and government networks, encrypting files, and demanding huge ransom payments.
ProLock is the latest ransomware gang that has adopted the “big-game hunting” approach to its operations. Big-game hunting refers to going after larger targets in order to extract big payments from victims who can afford it.
System administrators who manage these larger networks are most likely to see attacks from this particular group.
Below is a short summary of all ProLock activities that system administrators need to be aware of, based on reports published by Group-IB, Sophos, and two FBI alerts [1, 2].
ProLock’s start
The ProLock gang began its activity (attacks) in late 2019. They initially operated under the name of PwndLocker but rolled out a major code upgrade and changed their name to ProLock in March 2020, after security researchers identified a bug in the original PwndLocker strain and released a free decrypter.
Distribution
In most of the incidents analyzed by security researchers, the ProLock ransomware was deployed on networks that have been previously infected with the Qakbot trojan.
The Qakbot trojan is distributed via email spam campaigns or is dropped as a second-stage payload on computers previously infected with the Emotet trojan. System administrators who find computers infected with either of these two malware strains should isolate systems and audit their networks, as the ProLock gang could be already wandering around their systems.
Lateral movement
But since the ProLock gang usually buys access to one Qakbot-infected computer and not entire networks, they also have to expand their access from this initial entry point to other nearby computers, for maximum damage.
This operation is called “lateral movement,” and there are various ways the ProLock gang does this.
Group-IB says ProLock uses the CVE-2019-0859 Windows vulnerability to gain administrator-level access on infected hosts and then deploys the MimiKats tool to dump credentials from the infected system.
Depending on what they find, the ProLock gang can use these credentials to move laterally across a network via RDP, SMB, or via the local domain controller.
WMIC is used at the last moment to push the actual ransomware to all compromised hosts, where it encrypts files, and according to Sophos, plays the OS alert tone at the end to signal the end of the encryption routine.
Impact
All the operations needed to move laterally across a network are executed by a human operator in front of a terminal — and are not automated.
As a result, ProLock incidents usually manage to infect a large number of computers, as the ProLock human operator bides their time in order to maximize damage.
Group-IB says this tactic allows the group to demand very high decryption fees from victims, most of which face prolonged downtimes, in case they decide to rebuild internal networks.
“The fact that their average ransom demands range anywhere from 35 to 90 Bitcoin (approx. $400,000 to $1,000,000) only confirms their ‘think big’ strategy,” Group-IB said in a private report shared with ZDNet today.
These sums are below the average ($1.8 million) of some other big-game hunting ransomware gangs, but ProLock extortions have been gradually increasing in recent months. For example, Group-IB told ZDNet that the recent ProLock case they traced involved a ransom of 225 Bitcoin, which is around $2.3 million.
Some of the group’s past victims include big names like ATM maker Diebold Nixdorf, the city of Novi Sad in Serbia, and Lasalle County in Illinois.
Paying the ransom
But despite the damage this ransomware group can do, in one of its two alerts, the FBI warned organizations against paying the ransom, as the ProLock decrypter that victims receive doesn’t always work as intended, and usually fails when decrypting larger files.
Victim shaming
Furthermore, ProLock has also been seen in some incidents leaking data from the networks of victims they infected, and which refused to pay.
While some other ransomware groups have created special sites where they leak this data, ProLock prefers to dump it on hacking forums or pass it to journalists via email.
All in all, ProLock appears to be the first ransomware gang that uses Qakbot as an initial entry point, but most of its other tactics are shared with most other big-game hunting and human-operated ransomware gangs — so, defending networks against ProLock should be straightforward for companies that have already taken precautions against the other ransomware groups. More

The University of South Australia (UniSA) has called for more work to be done on ensuring blockchain technology conforms to privacy rights and expectations.
The university said there are key privacy issues inherent to current blockchain platforms, with a paper from UniSA emerging technologies researcher Dr Kirsten Wahlstrom and Charles Sturt University’s Dr Anwaar Ulhaq and professor Oliver Burmeister saying the exact features that make blockchain such a secure technology also make it a privacy minefield.
See also: Is FOMO making enterprises unnecessarily leap into blockchain?
This is due to blockchain using details of previous transactions, including participants’ identities and exchange values, to verify future transactions by embedding this information in the data chain, in addition to the viability of the system being dependent on the uneditable nature of each block.
Pointing to the “right to be forgotten” as present currently in laws such as Europe’s General Data Protection Regulation (GDPR), Wahlstrom said the inherent idea of blockchain clashes with such directive.
“The European Court of Justice ruled European citizens have the right to be forgotten, but once someone’s details are embedded in a blockchain, the system never forgets — yes, those details might be encrypted, but they are also part of an irreversible ledger, and one that’s on the cloud,” she said. “As long as a blockchain is in existence, it clashes with the European ruling that people have the right to retract data.”    
To counter this, Wahlstrom suggests greater efforts should be placed on developing variations of blockchain technology, to allow it to retain its virtues while also taking the privacy consideration seriously.
“For example, our research has looked at the Holochain platform, which uses a distributed hash table to break the blockchain up, and then the chain, instead of sitting on the cloud, sits where end users want it to sit,” Wahlstrom added.
See also: How blockchain will disrupt business (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) “This allows individuals to verify data without disclosing all its details or permanently storing it in the cloud, but there are also still a lot of questions to answer about how this affects the long-term viability of the chain and how it obtains verifications.”
With the Australian government earlier this month releasing a code of practice for securing the Internet of Things (IoT) that is only voluntary, Wahlstrom also said considerations must be anticipated and addressed as an integral part of developing new technologies, rather than just treated as a secondary issue that can be tackled reactively and retrospectively.
“We know that technologies disrupt society, and too often they do that in ways that we’re not fully aware of when it is actually happening,” she said. “We’re at a really delicate point with this because, increasingly, societies and economies are organised around data, and that has huge implications for privacy.
“The main problem is, we’re still struggling to understand what ‘privacy’ actually means in an online world — it’s not the same as data security and protection, it’s about how individuals control their whole online identity, and expectations around that change from person to person and situation to situation.”
She said the crucial first step is for the industry to develop a clear definition of what privacy actually is, and then agree to standards to ensure those requirements are met across the board.
RELATED COVERAGE More

ETERBASE, a Bratislava-based cryptocurrency exchange, disclosed this week a security breach. The exchange said hackers breached its internal network and stole cryptocurrency funds worth $5.4 million.
The incident, which was disclosed on Thursday, involved the theft of various cryptocurrencies from the company’s hot wallets.
Hot wallets are cryptocurrency accounts that are actively connected to the internet and which ETERBASE was using to power its inter- and intra-currency exchange operations.
Funds were stolen from six hot wallets, storing Bitcoin, Ether, ALGO, Ripple, Tezos, and TRON assets.
In a series of messages posted on its Telegram channel, the company said it detected the attack but could not stop it from taking place.
Nonetheless, ETERBASE said it tracked the transactions as they left its wallets, and is currently tracing the stolen funds as they move around their respective blockchains.
ETERBASE has also already contacted exchanges where the stolen funds have landed and requested that its stolen assets are frozen.

Currently, all transactions on ETERBASE have been suspended until September 10, but the company said it planned to resume operations and reassured users that it had enough reserve funds to continue operating.
Law enforcement was also notified, the company added. More