Information Technology

The Australian Securities and Investments Commission (ASIC) is alleging RI Advice Group Pty Ltd, an Australian Financial Services (AFS) licence holder focused on retirement advice, failed to have adequate cybersecurity systems in place.
ASIC has commenced proceedings in the Federal Court of Australia against RI, following a number of alleged cyber breach incidents at certain authorised representatives of RI.
According to ASIC, incidents included an alleged cyber breach at Frontier Financial Group Pty Ltd from December 2017 to May 2018.
Prior to October 2018, RI was a wholly-owned subsidiary of ANZ Bank. It then became a wholly-owned subsidiary of IOOF Holdings Limited as one of four financial planning dealer groups sold by ANZ under a AU$975 million deal.  
See also: Boards of Australian financial firms face tougher infosec rules from 1 July
ASIC alleges that Frontier was subject to a brute force attack whereby a malicious user successfully gained remote access to Frontier’s server. ASIC alleges the actor spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
The financial watchdog alleges that RI, including its authorised representatives, failed to implement adequate policies, systems, and resources that are reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
With the proceedings being launched on Friday, ASIC is seeking declarations that RI contravened certain provisions of the Corporations Act, orders that RI pay a civil penalty, and compliance orders for RI to implement systems that are “reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented”.
A report from ASIC in December found that while awareness and management of cybersecurity risk were improving in Australia’s financial market, there was still room for improvement across the entire sector.
“Organisations are alert to cybersecurity threats to their business and have focused their resources and efforts on improving their cybersecurity governance, risk management, and response and recovery capabilities,” the watchdog wrote.
MORE FROM ASIC More

Image via University of Utah; Composition: ZDNet

The University of Utah revealed today that it paid a ransomware gang $457,059 in order to avoid having hackers leak student information online.
The incident is the latest in a long string of ransomware attacks where criminal groups steal sensitive files from the hacked companies before encrypting their files; and in case victims refuse to pay, threaten to release the stolen documents as a second extortion scheme.
Unfortunately, this is exactly what happened in the case of the University of Utah. In a statement posted on its website today, the university said it actually dodged a major ransomware incident and that the hackers managed to encrypt only 0.02% of the data stored on its servers.
The university said its staff restored from backups; however, the ransomware gang threatened to release student-related data online, which, in turn, made university management re-think their approach towards not paying the attackers.
“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker,” the university said today.
“This was done as a proactive and preventive step to ensure information was not released on the internet.
“The university’s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom,” University of Utah officials added.
University officials also provided details about the attack today, such as the date when it took place (July 19, 2020), and what part of the network it impacted (the network of the university’s College of Social and Behavioral Science [CSBS]).
However, the university did not reveal which ransomware gang was behind the attack.
All signs point to NetWalker
Brett Callow, a threat analyst at cyber-security firm Emsisoft, told ZDNet today that, although lacking concrete evidence, the NetWalker ransomware gang is most likely behind the attack.
This particular group, which is believed to have made more than $25 million from ransom payments this year, has been behind a recent wave of attacks against university networks, such as the attacks against Michigan State, the University of California at San Francisco (paid $1.14 million), Columbia College Chicago, and the City University of Seattle.
But Callow also took issue with University of Utah officials paying the attackers to stop a data leak; warning against such practice has little benefits.
“Paying ransoms to prevent data being published seems to make little sense,” Callow told us.
“All what organizations are paying for in this scenario is a pinky promise from a bad faith actor that the stolen data will be destroyed. Whether the groups do ever destroy data is something only they know, but I suspect they do not. Why would they? They may be able to monetize the information at a later data or use it for spear phishing or identity theft.” More

Image: nrd (Unsplash), Instacart

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Grocery delivery and pick-up service Instacart disclosed a security incident caused by two employees working for a company providing tech support services for Instacart shoppers.
According to a press release published today, Instacart says the two employees “may have reviewed more shopper profiles than was necessary in their roles as support agents.”
The company is now notifying 2,180 shoppers via email about the incident. The figure represents the Instacart user profiles the company believes the two employees might have needlessly accessed while working as tech support agents.
Breach discovered following a routine audit
Instacart said it learned of the breach in procedure of the two support agents following a routine security audit.
The grocery delivery service said a subsequent forensic investigation did not find any evidence the two support agents had downloaded or digitally copied data from its systems.
Nonetheless, Instacart said that it took drastic measures when it came to dealing with the support agents and the company that hired them.
“First, we immediately worked with our third-party support vendor to ensure that their two employees will never work on behalf of Instacart again,” Instacart said today.
“Second, we suspended work at this third-party support location and have since ceased local operations indefinitely.”
Second security incident this year
This is the second security incident that Instacart had to deal with this summer. In July, hackers put up for sale the details of 278,531 Instacart accounts on a dark web marketplace.
The sold data included names, delivery addresses, the last four digits of credit card numbers, and order histories, according to Buzzfeed.
Instacart acknowledged the incident two days later, in a press release, and blamed it on a credential stuffing attack, accusing users of reusing passwords across online accounts. More

Uber’s former chief security officer was charged on Thursday for covering up the company’s 2016 security breach, during which hackers stole the personal details of 57 million Uber customers and the details of 600,000 Uber drivers.
Prosecutors in Northern California are charging Joe Sullivan, 52, who served as Uber CSO between April 2015 and November 2017, when Uber changed its CEO and most of its management team.
According to court documents, DOJ officials claim that Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach.”
Speaking at a press conference today (see video below), US Attorney for the Northern District of California David Anderson said that by hiding the Uber hack from authorities and management, Sullivan indirectly helped the hackers breach other companies.
“This office charged the hackers and last year, and they pleaded guilty,” Anderson said. “In their guilty pleas, the hackers admitted to hacking other companies using similar techniques to those used in the Uber hack.
“If Sullivan had promptly reported the Uber hack those other hacks of those other companies may have been prevented,” Anderson said.
[embedded content]
How the 2016 Uber hack unfolded
But to understand what happened behind the scenes, we must combine details put forward by the DOJ today and court documents from the DOJ’s case against the Uber hackers — namely, Brandon Glover, 26, an American from Florida, and Vasile Mereacre, 23, a Canadian from Toronto.
Per these two sets of documents, the Uber hack took place after the two hackers used a custom-built tool to gain access to GitHub accounts.
Glover and Mereacre specifically targeted the accounts of employees working for large corporations, gained access to their GitHub profiles, and then searched through the employee’s projects for sensitive passwords and credentials.
This is how the two hackers got their hands on Amazon Web Services (AWS) credentials for Uber’s backend infrastructure, where they found and subsequentially downloaded details for 57 million Uber customers and 600,000 Uber drivers.
Per court documents, the two hackers reached out to Sullivan via email, claiming they “found a major vulnerability,” provided a sample of the stolen data, and then requested a $100,000 payment in bitcoin to reveal the company’s security hole.
Court documents unsealed today reveal that at the time Sullivan received this email, on November 14, Sullivan had just submitted a written testimony to the FTC about a 2014 security breach, during which a hacker stole the names and drivers licenses of about 50,000 drivers.
Prosecutors say that Sullivan and his security team confirmed the validity of the hackers’ sample data within 24 hours of receiving the email, but instead of notifying the FTC of this new security breach, Sullivan agreed to pay the hackers’ “hush money.”
Court documents filed today show conversations Sullivan had with then-Uber CEO Travis Kalanick about the security breach, with Kalanick giving the go-ahead for the hackers to receive their ransom in the form of a bug bounty program payout.

Investigators say that Sullivan proceeded with this plan and arranged for the hackers to sign a non-disclosure agreement even without knowing their real names. This initial contract was signed, and the bounty paid in December 2016 via the company’s HackerOne bug bounty program.
However, US prosecutors say that when Uber’s security team tracked down and identified the two hackers, instead of notifying authorities, Sullivan had the two hackers re-sign their confidentiality agreement in their true names.
Furthermore, the DOJ complaint claims that Sullivan insisted on the hackers signing a contract that claimed they had not taken any of Uber’s data, knowing this statement was false.
“When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements,” the DOJ said today in a press release.
New management comes in, exposes hack
Things then calmed down, but only until August 2017, when Uber’s board ousted Kalanick and replaced him with Dara Khosrowshahi.
The DOJ says that Sullivan notified the new management team about the 2016 security incident, but continued to cover up the hack.
“Specifically, Sullivan failed to provide the new management team with critical details about the breach,” the DOJ said. “In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”
But despite the issue being resolved, the new Uber CEO disclosed the breach to the public in November 2017. This disclosure was followed by an FBI investigation, which quickly identified and arrested the hackers, both of which pleaded guilty in October 2019.
As the FBI investigated and gained access to the company’s internal communications, they also started to understand Sullivan’s role in covering up the 2016 breach.
“Silicon Valley is not the Wild West,” said Anderson today. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Sullivan was charged today with obstruction of justice and misprision of a felony in connection to the 2016 hack and subsequent cover-up. If found guilty on both charges, Sullivan risks maximum prison sentences of five and three years, respectively.
As NPR pointed out today, before serving as a CSO at Uber, Sullivan had previously spent two years prosecuting computer hacking crimes as an assistant US Attorney in the very same office that charged him today. More

Image: Peggy_Marco on Pixabay

Two of today’s biggest ATM manufacturers, Diebold Nixdorf and NCR, have released software updates to address bugs that could have been exploited for “deposit forgery” attacks.
Deposit forgery attacks happen when fraudsters can tamper with an ATM’s software to modify the amount and value of currency being deposited on a payment card.
Such attacks are usually followed by quick cash withdrawals, either during weekends or via transactions at other banks, with the fraudsters trying to capitalize on the inexistent funds before banks detect any errors in account balances.
Two similar bugs impact Diebold Nixdorf and NCR ATMs
Deposit forgery bugs are rare, but two have been discovered last year and patched this year. Diebold Nixdorf patched CVE-2020-9062, an issue impacting ProCash 2100xe USB ATMs running Wincor Probase software, while NCR patched CVE-2020-10124, a bug in SelfServ ATMs running APTRA XFS software.
At their core, both bugs are identical, according to advisories published today by the CERT Coordination Center at Carnegie Mellon University.
CERT/CC says the ATMs do not encrypt, authenticate, or verify the integrity of messages sent between the ATM cash deposit boxes and the host computer.
An attacker that has physical access to connect to the ATM can tamper with these messages when cash is deposited and artificially inflate the deposited funds.
Diebold and NCR have secured their devices by releasing software updates that have hardened the communications between the cash deposit module and the host computer.
Disclosure and reporting delayed due to sanctions
Both vulnerabilities, and others, have been discovered by security researchers working at Embedi, a Moscow-based security firm that was sanctioned by the US Treasury Department in June 2018 for allegedly working with the Federal Security Service (FSB), Russia’s top intelligence agency, to bolster Russia’s “offensive cyber capabilities.”
Before working with Embedi researchers on coordinating the public disclosure of these bugs, the CERT/CC at CMU had to obtain a special permit from the Office of Foreign Assets Control (OFAC) at the US Treasury Department. More

Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers.
The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer.
According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards.
Google delayed patches, despite a four months heads-up
However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September.
Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.
Seven hours after the blog post went live, Google told Husain they deployed mitigations to block any attacks leveraging the reported issue, while they wait for final patches to deploy in September.
In hindsight, yesterday’s bug patching snafu is a common occurrence in the tech industry, where many companies and their security teams don’t always fully understand the severity and repercussions of not patching a vulnerability until details about that bug become public, and they stand to be exploited.
How the Gmail (G Suite) bug worked
As for the bug itself, the issue is actually a combination of two factors, as Husain explains in her blog post.
The first is a bug that lets an attacker send spoofed emails to an email gateway on the Gmail and G Suite backend.
The attacker can run/rent a malicious email server on the Gmail and G Suite backend, allow this email through, and then use the second bug.
This second bug allows the attacker to set up custom email routing rules that take an incoming email and forward it, while also spoofing the identity of any Gmail or G Suite customer using a native Gmail/G Suite feature named “Change envelope recipient.”
The benefit of using this feature for forwarding emails is that Gmail/G Suite also validates the spoofed forwarded email against SPF and DMARC security standards, helping attackers authenticate the spoofed message. See Husain’s graph below for a breakdown of how the two bugs can be combined.

Image: Allison Husain
“Additionally, since the message is originating from Google’s backend, it is also likely that the message will have a lower spam score and so should be filtered less often,” Husain said, while also pointing out that the two bugs are unique to Google only.
If the bug had been left unpatched, ZDNet has no doubt that the exploit would have most likely been widely adopted by email spam groups, BEC scammers, and malware distributors.

To summarize @ezhes_ s work, using an attacker-owned domain you can abuse G Suite’s “default routing” & “inbound gateway” settings to spoof ANY other G Suite domain and pass SPF/DMARC. So you can impersonate Larry Page, Intuit, or my grandma’s gmail. This is a BEC gold mine (2/n)
— Josh Kamdjou (@jkamdjou) August 20, 2020

Google’s mitigations have been deployed server-side, which means Gmail and G Suite customers don’t need to do anything. More

Transparent Tribe is involved in campaigns against government and military personnel, revealing a new tool designed to infect USB devices and spread to other systems. 

The advanced persistent threat (APT) group, as previously tracked by Proofpoint (.PDF), has been in operation since at least 2013 and has previously been connected to attacks against the Indian government and military. 
Recently, the APT has shifted its focus to Afghanistan, however, researchers have documented its presence in close to 30 countries. 
Also known as PROJECTM and MYTHIC LEOPARD, Transparent Tribe is described as a “prolific” group involved in “massive espionage campaigns.”
Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, the group is constantly evolving its toolkit depending on the intended target, Kaspersky said in a blog post on Thursday. 
See also: South Korean industrial giants slammed in active info-stealing APT campaign
The attack chain starts off in a typical way, via spear-phishing emails. Fraudulent messages are sent together with malicious Microsoft Office documents containing an embedded macro that deploys the group’s main payload, the Crimson Remote Access Trojan (RAT). 
If a victim falls for the scheme and enables macros, the custom .NET Trojan launches and performs a variety of functions, including connecting to a command-and-control (C2) server for data exfiltration and remote malware updates, stealing files, capturing screenshots, and compromising microphones and webcams for audio and video surveillance. 
Kaspersky says the Trojan is also able to steal files from removable media, key log, and harvest credentials stored in browsers. 
The Trojan comes in two versions that have been compiled across 2017, 2018, and at the end of 2019, suggesting the malware is still in active development.
Transparent Tribe also makes use of other .NET malware and a Python-based Trojan called Peppy, but a new USB attack tool is of particular interest. 
USBWorm is made up of two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines. 
CNET: 5 online cybersecurity courses to help you become a pro and explore a new job
If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then a copy of the Trojan is buried in the root drive directory. The directory attribute is then changed to “hidden” and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories. 
“This results in all the actual directories being hidden and replaced with a copy of the malware using the same directory name,” the researchers note. 
TechRepublic: How to keep your company secure while employees work from home
Over 200 samples of Transparent Tribe Crimson components were detected between June 2019 and June 2020. 
“During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal,” commented Kaspersky researcher Giampaolo Dedola. “We don’t expect any slowdown from this group in the near future.”
Earlier this month, Kaspersky documented ongoing campaigns launched by CactusPete. Also known as Karma Panda, the APT has been tracked across a number of countries while performing cyberespionage and data theft. Cisco Talos suspects the group may be linked to the Chinese military. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: ZDI

Bug bounty platform pioneer Zero-Day Initiative (ZDI) said it awarded more than $25 million in bounty rewards to security researchers over the past decade and a half.
In an anniversary post celebrating its 15-year-old birthday, ZDI said the bounty rewards represent payments to more than 10,000 security researchers for more than 7,500 successful bug submissions.
Most of these bugs were filed through the ZDI’s vendor-agnostic bug bounty platform, but many were also acquired through Pwn2Own, a yearly hacking contest that ZDI organizes.
A short history of ZDI
While certainly not the first bug bounty program, ZDI is the first program to have built a sustainable business model around its platform.
ZDI got off the ground in 2005 when it was set up as a special project inside 3Com, a vendor of computer and networking gear. The program operated by paying security researchers for vulnerability reports in popular software products.
At the time, this was a ground-breaking concept.
While today all the big major tech companies, and even the smaller ones, have a bug bounty program, in 2005, none of those programs were yet up and running.
In the 2000s, security researchers had to individually contact security teams at each company and report vulnerabilities, without any promise of any monetary reward.
This process was usually time-consuming, and more often than not resulted in bugs not getting fixed, security researchers skipping the bug reporting process altogether, or bug hunters receiving legal threats if they planned to go public about their findings.
But when ZDI began operating at scale, the platform finally provided a way for security researchers to (1) get paid and (2) leave the bug reporting process to ZDI and avoid getting sued.
Backed by 3Com, ZDI served as the perfect intermediary, and its parent company was also turning a profit from the program, as 3Com engineers would incorporate the bugs reports received via ZDI into TippingPoint, a security product that often provided protections for exploits months before competitors.
Over the years, ZDI expanded and grew. The program moved to HP, when Hewlett-Packard acquired 3Com, was spun into Hewlett-Packard Enterprise (HPE), and finally moved under Trend Micro’s parentage in 2015, when the security firm acquired TippingPoint from HPE.
Leading bug bounty program today
Today, the program is historically the most successful bug bounty platform ever and has been recognized as the world’s leading vulnerability research organization for the past 13 years in a row.
According to a report from Omdia published last month, ZDI was responsible for more than half of all the vulnerability disclosures in 2019, more than any other vendor or bug bounty platform.
Furthermore, ZDI has also expanded into running hacking contests, and since 2007 has been managing the renowned Pwn2Own hacking competition.
While it started with one contest per year, ZDI now runs three separate Pwn2Own contests, with one focused on business software and operating systems, a second on mobile devices and IoT, and a third dedicated to ICS/SCADA products.
Pwn2Own is today’s best-funded hacking competition, with the biggest rewards on the market, and the reason why all the major security teams and researchers attend its editions, year in, year out.
And in true ZDI fashion, all the vulnerabilities reported during the contest are reported to vendors, and researchers paid for their findings. More