Information Technology

The COVID-19 pandemic shows little sign of slowing down, and for many businesses, employees are still working remotely and from home offices. 

While some companies are gearing towards reopening their standard office spaces in the coming months — and have all the challenges associated with how to do so safely to face — they may also be facing repercussions of the rapid shift to remote working models in the cybersecurity space. 
In the clamor to ensure employees could do their jobs from home, the enterprise needed to make sure members of staff had the right equipment as well as network and resource access.
However, according to Malwarebytes, the rushed response to COVID-19 in the business arena has created massive gaps in cybersecurity — and security incidents have increased as a result. 
See also: Working from home 101: Every remote worker’s guide to the essential tools for telecommuting
On Thursday, the cybersecurity firm released a report (.PDF), “Enduring from Home: COVID-19’s Impact on Business Security,” examining the impact of the novel coronavirus in the security world. 
Company telemetry and a survey conducted with 200 IT and cybersecurity professionals suggest that since the start of the pandemic, remote workers have caused a security breach in 20% of organizations. 
As a result, 24% of survey respondents added that their organizations had to pay unexpected costs to address cybersecurity breaches or malware infections after shelter-in-place orders were imposed. 
In total, 18% of those surveyed said cybersecurity was not a priority, and 5% went further — admitting their staff were “oblivious” to best security practices.
According to the cybersecurity firm, business email compromise, the quick shift to cloud services — which may include improperly-configured buckets or access controls — and improperly secured corporate Virtual Private Networks (VPNs) are all contributing to the emerging issue. 
CNET: Secret Service reportedly paid to access phone location data
In addition, phishing email rates relating to COVID-19 have surged, with thousands of separate campaigns and fraudulent domains connected to the pandemic coming under the scrutiny of multiple security firms. 
The UK National Health Service (NHS)’s key workers, for example, were hit with roughly 40,000 spam and phishing attempts between March and the first half of July, at the height of the pandemic in the country. 
Malwarebytes cited NetWiredRC and AveMaria, remote desktop access-capable malware families, as common payloads for COVID-19-related phishing schemes. 
TechRepublic: Top 5 password hygiene security protocols companies should follow
Roughly 75% of survey respondents were positive about the transition to remote working, but 45% said that no additional security checks or audits were performed to check the security posture of these necessary changes. In addition, while 61% of organizations did provide their staff with remote working devices, 65% did not consider the deployment of any new security tools together with the equipment. 

“Threat actors are adapting quickly as the landscape shifts to find new ways to capitalize on the remote workforce,” said Adam Kujawa, director at Malwarebytes Labs. “We saw a substantial increase in the use of cloud and collaboration tools, paired with concerns about the security of these tools. This tells us that we need to closely evaluate cybersecurity in relation to these tools, as well as the vulnerabilities of working in dispersed environments, in order to mitigate threats more effectively.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australian cybersecurity megamix CyberCX will be launching a new chapter in New Zealand, expanding to its first international market since it was stood up less than a year ago.
CyberCX, backed by private equity firm BGH Capital, in October brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co., Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre (ACSC) and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.
It has since grown, with CyberCX scooping up two Melbourne-based startups, Basis Networks and Identity Solutions earlier this year.
The move across the Tasman is touted by CyberCX as cementing its position as the region’s “leading cybersecurity player”, creating a full-service cybersecurity operator in New Zealand.
See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
“New Zealand is a natural market focus for CyberCX. With the exponential growth in the number of cyber attacks on Australian and New Zealand businesses and government agencies, and the aggressive tactics we are seeing from threat actors, we need to significantly bolster our trans-Tasman cyber capability to secure our companies and sovereign interests, in particular Australian and New Zealand critical infrastructure including utilities, agricultural, financial systems, logistics, and supply chain,” Paitaridis said.
“Never has this been more important than during the COVID-19 pandemic.”
CyberCX said it will introduce a full suite of cybersecurity services, delivered by a local workforce, to protect and defend New Zealand’s businesses, enterprises, and government agencies.
The New Zealand operation will be headed up by Grant Smith, who previously founded Gen2 Consulting and DMZGlobal. DMZGlobal is now the specialist security division of Vodafone New Zealand.
As its CEO, Smith said the plan for CyberCX NZ will be to increase its local workforce to more than 100 employees in the next year; expand offices in Wellington and Auckland, followed by opening an office in Christchurch; and investing in developing a New Zealand security operations centre capability and local cyber workforce development.
“It is time that Australia and New Zealand had its own cybersecurity company, a national champion at scale, able to defend and protect our local businesses and economies. For too long we have relied on international companies for cyber services, where their interests don’t always align,” Paitaridis added.
“We are fiercely independent and driven by our purpose to protect the communities we serve. We are uniquely focused on delivering mission critical cyber security services to New Zealand and Australia leveraging our 500 plus cyber security specialists on both sides of the Tasman.”
LATEST KIWI NEWS More

HealthEngine Pty Ltd has been ordered by the Federal Court to pay AU$2.9 million in penalties, following allegations it shared patient information and skewed its reviews.
The Federal Court found the Perth-based company engaged in misleading conduct in relation to the sharing of patient personal information with private health insurance brokers and publishing misleading patient reviews and ratings. 
HealthEngine provides a booking system for patients and an online health care directory that lists over 70,000 health practices and practitioners in Australia. The directory allows patients to search for and book appointments with health practitioners.
The company, which describes itself as Australia’s largest online health marketplace, admitted that between 30 April 2014 and 30 June 2018 it gave non-clinical personal information such as names, dates of birth, phone numbers, and email addresses of over 135,000 patients to third party private health insurance brokers without providing adequate disclosure to consumers.
Such arrangements with private health insurance brokers saw HealthEngine pocket over AU$1.8 million.
In addition to the near AU$3 million fine, HealthEngine was also ordered to contact affected consumers and provide details of how they could “regain control of their personal information”.
See also: Australian privacy law amendments to cover data collection and use by digital platforms
“These penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law,” Australian Competition and Consumer Commission (ACCC) chair Rod Sims said on Thursday
“The ACCC is very concerned about the potential for consumer harm from the use or misuse of consumer data.”
In response, HealthEngine said personal, not clinical, information was provided to private health insurance comparison services when consumers specifically requested a call regarding a health insurance comparison. 
“We did not make it sufficiently clear on the booking form that a third party, not HealthEngine, would be contacting them regarding the comparison and that we would be passing on consumer details for that to occur,” the company said. “This was an error and HealthEngine apologises for it.”  
The ACCC began investigating HealthEngine in July 2018 and launched legal proceedings in August 2019, alleging the company was sharing consumer information with insurance brokers.
In June 2018, it was reported that HealthEngine shared personal information with law firm Slater and Gordon, who was seeking clients for personal injury claims. It is believed the “referral partnership pilot” saw the startup, on average, give the law firm details of 200 clients a month between March and August 2017.
According to the ABC, 40 HealthEngine users became Slater and Gordon clients. HealthEngine said the ACCC took no action with respect to that activity.
The reports of the ill use of customer data followed claims that HealthEngine was skewing its own reviews.
In mid-2018, it was reported that 53% of the 47,900 “positive” patient reviews on HealthEngine had been edited in some way, with many flipped to appear as positive customer feedback.
“Negative feedback is not published but rather passed on confidentially and directly to the clinic completely unmoderated to help health practices improve moving forward,” HealthEngine CEO and founder Dr Marcus Tan said in a statement the company issued at the time.
“We email all patients about their reviews being published and alert them to having possibly been moderated according to our guidelines.”
The ACCC on Thursday said HealthEngine admitted that, between 31 March 2015 and 1 March 2018, it did not publish around 17,000 reviews and edited around 3,000 reviews to either remove negative aspects or embellish them.
HealthEngine also admitted that it misrepresented to consumers the reasons why it did not publish a rating for some health or medical practices.
“The ACCC was particularly concerned about HealthEngine’s misleading conduct in connection with reviews it published, because patients may have visited medical practices based on manipulated reviews that did not accurately reflect other patients’ experiences,” Sims said.
The review feature was pulled in June 2018.
“When the ACCC commenced proceedings against HealthEngine nearly a year ago, we acknowledged that our rapid early growth had sometimes outpaced our systems and processes and we sincerely apologised that we had not always met the high expectations of the community and our customers,” Tan said on Thursday. 
“That apology still stands.
“Good intentions do not excuse poor execution and this process has given us a greater understanding of our operational shortcomings, which we’ve addressed.”
He claimed that HealthEngine never has, and never will, sell user databases to third parties. 
“Further, the only time we provide clinical information to third parties is to a consumer’s nominated healthcare provider to deliver the healthcare services requested by that consumer,” Tan said.
HealthEngine added it was confident that no adverse health outcomes were created by these issues and no clinical data has been shared with any private health insurance comparison service.
HealthEngine admitted liability and made joint submissions with the ACCC to the Federal Court. The company will also pay a contribution to the ACCC’s legal costs, the watchdog said.
Updated Thursday 20 August 2020 at 2:40pm AEST: Added comments from HealthEngine.
LATEST FROM THE CONSUMER WATCHDOG More

Facebook said on Wednesday it tightened restrictions and booted off its service a number of groups related to the QAnon conspiracy theory, United States militia groups, and offline anarchist groups.
“We already remove content calling for or advocating violence and we ban organisations and individuals that proclaim a violent mission,” Facebook said in a blog post.
“However, we have seen growing movements that, while not directly organising violence, have celebrated violent acts, shown that they have weapons and suggest they will use them, or have individual followers with patterns of violent behaviour.”
Facebook said it has removed in excess of 790 groups, 100 pages, and 1,500 ads relating to QAnon, and imposed restrictions on over 1,950 groups, 440 pages, and over 10,000 Instagram accounts.
The company added it has removed 980 groups, 520 pages, and 160 from Facebook related to “militia organisations and those encouraging riots, including some who may identify as antifa”.
The types of restrictions imposed are: Limiting pages, groups, and Instagram accounts from being recommended to other users; lowering rankings of content from restricted groups in the Facebook news feed; removing groups, pages, and accounts from being seen in typeahead search suggestions, and lowering the rankings in search results; preventing pages from running ads or selling products, with Facebook warning it will extend this to “prohibit anyone from running ads praising, supporting or representing these movements”; and preventing nonprofit and personal fundraising if they support the restricted groups.
“While we will allow people to post content that supports these movements and groups, so long as they do not otherwise violate our content policies, we will restrict their ability to organise on our platform,” the company said.
See also: Facebook comments manifest into real world as neo-luddites torch 5G towers
Facebook said it has also pulled the related hashtag feature on Instagram while it works on “stronger protections”.
In a White House briefing on Wednesday, US President Donald Trump was asked his thoughts on QAnon.
“I’ve heard these are people that love our country,” he said.
The President was then asked about the conspiracy theory behind the movement believing the world is run by a “satanic cult of paedophiles and cannibals”.
“Well, I haven’t heard that. But is that supposed to be a bad thing or a good thing? I mean, if I can help save the world from problems, I’m willing to do it,” Trump said.
“I’m willing to put myself out there. And we are actually. We’re saving the world from a radical left philosophy that will destroy this country, and when this country is gone, the rest of the world would follow.”
At the start of the month, Facebook pulled down a video posted by Trump’s Facebook page, stating it had violated its COVID-19 misinformation policies.
The video showed footage from a Fox News interview, where Trump was pushing for the reopening of schools. During the interview, he said children are “virtually immune” to coronavirus.
“If you look at children, children are almost — and I would almost say definitely — but almost immune from this disease. So few — they’ve got stronger, hard to believe, and I don’t know how you feel about it, but they’ve got much stronger immune systems than we do somehow for this,” he said.
“They just don’t have a problem.”
Earlier this week, a suit was filed in San Francisco claiming censorship because Facebook was displaying fact-check messages on anti-vaccination posts.
Facebook had previously taken a swing at banning some QAnon content in May, with Twitter following suit last month.
Related Coverage More

Image: chunleizhao, Experian

The South African branch of consumer credit reporting agency Experian disclosed a data breach on Wednesday.
The credit agency admitted to handing over the personal details of its South African customers to a fraudster posing as a client.
While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses.
Experian said it reported the incident to local authorities, which were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, “which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”
Experian said that none of the data has been used for fraudulent purposes before being deleted and that the fraudster did not compromise its infrastructure, systems, or customer database.
“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the agency said in a statement.
“Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”
According to Experian, only personal information was exposed in the incident, and no financial or credit-related information was involved.
The credit reporting agency described the shared data as “information which is provided in the ordinary course of business or which is publicly available.”
Nonetheless, the data was deemed personal enough for South African privacy regulators to open a case in regards to the incident. More

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a security alert today containing details about a new strain of malware that was seen this year deployed by North Korean government hackers.
This new malware was spotted in attacks that targeted US and foreign companies active in the military defense and aerospace sectors, sources in the infosec community have told ZDNet, with the attacks being documented in reports from McAfee (Operation North Star) and ClearSky (Operation DreamJob).
The attacks followed the same pattern, with North Korean hackers posing as recruiters at big corporations in order to approach employees at the desired companies.
Targeted employees were asked to go through an interviewing process, during which they’d usually receive malicious Office or PDF documents that North Korean hackers would use to deploy malware on the victim’s computers.
The final payload in these attacks is the focal point of today’s CISA alert, a remote access trojan (RAT) that CISA calls BLINDINGCAN (called DRATzarus in the ClearSky report).
CISA experts say North Korean hackers used the malware to gain access to victim’s systems, perform reconnaissance, and then “gather intelligence surrounding key military and energy technologies.”
This was possible due to BLINDINGCAN’s broad set of technical capabilities, which allowed the RAT to:
Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
Get operating system (OS) version information
Get Processor information
Get system name
Get local IP address information
Get the victim’s media access control (MAC) address.
Create, start, and terminate a new process and its primary thread
Search, read, write, move, and execute files
Get and modify file or directory timestamps
Change the current directory for a process or file
Delete malware and artifacts associated with the malware from the infected system
The CISA alert includes indicators of compromise and other technical details that can help system administrators and security professionals set up rules to scan their networks for signs of compromise.
This is the 35th time the US government has issued a security alert about North Korean malicious activity. Since May 12, 2017, CISA has published reports on 31 North Korean malware families on its website.
North Korean government hackers have been one of the four most active threat actors that have targeted the US in recent years, together with Chinese, Iranian, and Russian groups.
The US has been trying to dissuade attacks by criminally charging hackers from these countries or publicly calling out hacking activities that go beyond the real of intelligence espionage.
Earlier this year in April, the US State Department has stepped up its efforts to deter North Korean hacking by setting up a $5 million reward program for any information on North Korean hackers, their whereabouts, or their current campaigns.
In a report published last month, the US Army revealed that many of North Korea’s hackers operate from abroad, not just from North Korea, from countries such as Belarus, China, India, Malaysia, and Russia. More

The FBI and local police have made tens of arrests across the tri-state area this week as part of a crackdown against multiple criminal gangs who exploited a glitch in the software of Santander ATMs to cash-out more money than was stored on cards.
According to reports in local media, the bulk of the arrests took place in Hamilton (20 suspects), across towns in Morris County (19), and Sayreville (11). Smaller groups of suspects were also detained in Bloomfield, Robbinsville, and Holmdel, while reports of suspicious cash-outs were also recorded in Woodbridge, towns across the Middlesex County, Booton, Randolph, Montville, South Windsor, Hoboken, Newark, and even in New York City itself, in Brooklyn.
Gangs exploited ATM software glitch
Based on information ZDNet received from a Santander spokesperson, sources in the threat intelligence community, and details released by police departments in the affected towns, criminal gangs appear to have found a bug in the software of Santander ATMs.
The bug allowed members of criminal groups to use fake debit cards or valid preloaded debit cards to withdraw more funds from ATMs than the cards were storing.

We have been made aware of an ATM scam in which suspects are using Santander Bank ATM’s to fraudulently withdraw cash using fake debit cards. Since we have a branch in town (1765 Ellington Rd), we are asking any citizen using their ATM to use caution when withdrawing money (1/2)
— South Windsor Police Department PIO (@SWPD_PIO) August 18, 2020

Sources in the threat intel community have told ZDNet today that details about this particular software glitch had been initially kept private and shared or sold among members of ATM and banking fraud groups for days.

Glitch details, however, did not remain secret for long, and, eventually, leaked online this week, being broadly shared in Telegram chat rooms, Instagram, and other social networks.
As a result of details leaking uncontrolled, multiple criminal groups began exploiting the software bug, resulting in a sudden spike of ATM cash-outs at Santander banks, and prompting bank employees to investigate.
The bank eventually figured out what was going on and filed complaints with authorities this week, with the the FBI initiating a multi-jurisdictional investigation across New York, New Jersey, and Connecticut.
Santander shut down all ATMs to prevent attacks
To prevent further losses, Santander shut down all ATMs on Tuesday.

“Santander is pleased to report that following yesterday’s events, branches are open and ATMs are back on-line, though ATMs are open to Santander customers only for the time being,” a Santander spokesperson told ZDNet via email today.
“The bank hopes to have ATMs available to non-customers in the near future and we apologize for any inconvenience this may cause.
“Customers should know that there has been no impact to their accounts, data or funds, and we continue to cooperate with law enforcement as they investigate this situation,” Santander said.
The bank also added that all its employees are safe, referring to one incident where the members of a criminal gang had an argument about how to split the stolen money and got into shoot-out among themselves after cashing out one of Santander ATMs, as CBS New York reported on Tuesday. More

The spread of fake news relating to government initiatives around Covid-19 placed Brazil on a list of countries most affected by phishing attacks, according to new research on spam and phishing published by security firm Kaspersky.
According to the report, about one in eight Internet users in Brazil (12.9%) accessed, between April and June 2020, at least one link that led to websites with malicious content. This is well above the global average, of 8,26% within the same period of time.
The massive increase in disinformation campaigns around supposed government initiatives relating to the pandemic are the main driver behind the increase, the software firm noted. An example of the scams sent to users in recent months mentioned in the report is an email with the false information that the government had suspended payments for energy bills during the pandemic, which included a link inviting users to register for the benefit.

The recent trends place Brazil as the fifth country most affected by phishing on a list compiled by Kaspersky as part of the report. Venezuela tops the list, where 17.56% of users have clicked on a link leading to malicious content, followed by Portugal (13.51%), Tunisia (13.51%) and France (13.08%).
A separate study by Kaspersky, released in July, suggests that Brazilians are more aware of Internet security risks, but still need to evolve their online behavior. The study carried out in May, which considered users with at least two connected devices, has found that 48% have not improved their Internet security habits.
This relaxed attitude to online security has three main reasons, according to the research: some 45% of Brazilians are not prioritizing this due to everyday pressures, despite recognizing that they should pay more attention to their security while using the Internet. Some 36% say they feel more secure while carrying out financial and business transactions online while 33% of Brazilians polled reported they don’t have anything of value to offer to cybercriminals.
When it comes to how Brazilians deal with such threats, almost two thirds (62%) of Brazilians polled by Kaspersky stated they only install trusted apps on their devices, downloaded from sources including the Apple Store and Google Play. More than half (54%) said they run regular security checks on their mobile phones. More