Information Technology

Due to the recent rise in cryptocurrency trading prices, most online systems these days are often under the assault of crypto-mining botnets seeking to gain a foothold on unsecured systems and make a profit for their criminal overlords.

The latest of these threats is a botnet named WatchDog. Discovered by Unit42, a security division at Palo Alto Networks, this crypto-mining botnet has been active since January 2019.
Written in the Go programming language, researchers say they’ve seen WatchDog infect both Windows and Linux systems.
The point of entry for their attacks has been outdated enterprise apps. According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:
Drupal
Elasticsearch
Apache Hadoop
Redis
Spring Data Commons
SQL Server
ThinkPHP
Oracle WebLogic
CCTV (currently unknown if the target is a CCTV appliance or if there is another moniker “cctv” could stand for).
Based on details the Unit42 team was able to learn by analyzing the WatchDog malware binaries, researchers estimated the size of the botnet to be around 500 to 1,000 infected systems.
Profits were estimated at 209 Monero coins, currently valued at around $32,000, but the real figure is believed to be much higher since researchers only managed to analyze a few binaries, and the WatchDog gang is thought to have used many more Monero addresses to collect their illegal crypto-mining funds.
No credentials theft observed
The good news for server owners is that WatchDog is not yet on par with recent crypto-mining botnets like TeamTNT and Rocke, which in recent months have added capabilities that allow them to extract credentials for AWS and Docker systems from infected servers.

However, the Unit42 team warns that such an update is only a few keystrokes away for the WatchDog attackers.
On infected servers, WatchDog usually runs with admin privileges and could perform a credentials scan & dump without any difficulty, if its creators ever wished to.
To protect their systems against this new threat, the advice for network defenders is the same that security experts have been giving out for the past decade — keep systems and their apps up to date to prevent attacks using exploits for old vulnerabilities. More

A variant of the Masslogger Trojan is being used in attacks designed to steal Microsoft Outlook, Google Chrome, and messenger service account credentials. 

On Wednesday, cybersecurity researchers from Cisco Talos said the campaign is currently focused on victims in Turkey, Latvia, and Italy, expanding activities documented in late 2020 which targeted users in Spain, Bulgaria, Lithuania, Hungary, Estonia, and Romania. 
It appears that targets are changing on close to a monthly basis.
Masslogger was first spotted in the wild in April 2020 under licensing agreements agreed in underground forums. However, the new variant is considered “notable” by Talos due to the use of a compiled HTML file format to trigger an infection chain. 
Threat actors begin their attacks in a typical way, which is through phishing emails. In this attack wave, phishing messages masquerade as business-related queries and contain .RAR attachments. 
If a victim opens the attachment, they are split into multi-volume archives with the “r00” extension, a feature the researchers believe could be an effort to “bypass any programs that would block [an] email attachment based on its file extension.”
A compiled HTML file, .CHM — the default format for legitimate Windows Help files — is then extracted which contains a further HTML file with embedded JavaScript code. At each stage, code is obfuscated, and eventually leads to a PowerShell script being deployed that contains the Masslogger loader. 

The Masslogger Trojan variant, designed for Windows machines and written in .NET, will then begin the exfiltration of user credentials and is not picky in its targets — both home users and businesses are at risk, although it appears the operators are focusing on the latter. 
After being stored in memory as a buffer, compressed with gzip, the malware begins harvesting credentials. Microsoft Outlook, Google Chrome, Firefox, Edge, NordVPN, FileZilla, and Thunderbird are among the applications targeted by the Trojan. 
Stolen information can be sent through SMTP, FTP, or HTTP channels. Information uploaded to an exfiltration server includes the victim’s PC username, country ID, machine ID, and a timestamp, as well as records relating to configuration options and running processes. 
“The observed campaign is almost entirely executed and present only in memory, which emphasizes the importance of conducting regular and background memory scans,” Talos says. “The only component present on disk is the attachment and the compiled HTML help file.”
The researchers note that Masslogger is also able to act as a keylogger, but in this variant, it appears that the keylogging functionality has been disabled. 
Cisco Talos believes that based on Indicators of Compromise (IoCs), the cyberattackers can also be linked to the past usage of AgentTesla, Formbook and AsyncRAT Trojans. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Two Labor shadow ministry members have called for a national ransomware strategy, one they say is aimed at reducing the number of such attacks on Australian targets.
In a report [PDF] prepared by Shadow Minister for Home Affairs Kristina Keneally and Shadow Assistant Minister for Communications Tim Watts, Labor declared that due to ransomware being the biggest threat facing Australia, it’s time for a strategy to thwart it.
“Australia needs a comprehensive National Ransomware Strategy designed to reduce the attractiveness of Australian targets in the eyes of cyber criminals,” the report said. 
“None of these interventions are silver bullets. But the threat of ransomware isn’t going anywhere soon, and the government cannot leave it to Australian organisations to confront this challenge alone.”
The report pointed to the Australian government’s underwhelming cybersecurity strategy that was published in August.
“[It] rightly identifies that individual organisations have the primary responsibility for securing their own networks against any cyber threat, including ransomware. However, this is far from the end of the story,” the report said.
It also said the government has a range of policy tools that only it can deploy in an effort to reduce the overall volume of ransomware attacks, such as regulation making, law enforcement, diplomacy, international agreement making, offensive cyber operations, as well as the imposition of sanctions.

“While individual organisations will always be primarily responsible for securing their own networks, governments can intervene strategically to shape the overall threat environment in ways that make Australian targets less attractive,” it continued.
One suggestion the report has made is for the Australian government to pursue an approach that seeks to alter the return on investment of ransomware groups that target Australian organisations.
“To do this, it should pursue a range of initiatives designed to increase the costs of mounting campaigns against Australian organisations and to reduce the returns that are realised from such campaigns,” it said.
“The Australian government has tools that it can use to impose costs on ransomware crews that target Australians, including law enforcement action, targeted international sanctions, and offensive cyber operations.”
Additionally, the report said that while Australian law enforcement agencies have been part of some significant international cybercrime cooperation success stories, Australian law enforcement agencies need to be more aggressively and visibly involved in international operations against ransomware operators and pursuing those who target Australia.
It said that in the event where there is no prospect for law enforcement action against ransomware crews, Australia should seek to impose costs on ransomware crews that target Australian organisations by seeking to disrupt their activities through offensive cyber operations.
Labor also believes there is more that Australia could be doing to develop cybercrime prevention programs, such as using existing aid programs to develop diversion programs and developing skilled migration pathways for “young, technically savvy people” in the greater Indo-Pacific region.
Another way the shadow ministers believe the government could seek to reduce the returns of ransomware attacks on Australian organisations is by targeting cryptocurrency exchanges that enable ransomware payments.
“Cryptocurrencies have been a crucial enabling technology for the growth of ransomware by providing a system for the payment of ransoms that is anonymous and outside existing global payments architecture,” they wrote. “The absence of a central organisation controlling cryptocurrencies has made the enforcement of existing ‘know your customer’ anti-money laundering laws far more challenging in this context.”
The report concludes by stating that perhaps the simplest way to reduce the returns of ransomware attacks on Australian organisations is to lift the overall level of resilience of the IT networks of Australian organisations.
Elsewhere, head of information warfare at the Australian Department of Defence Major General Susan Coyle used her appearance at IBM Think Australia and New Zealand on Thursday to say it’s important to patch systems and change passwords frequently.
“First and foremost, we’ve got to accept that there is a risk, thinking that there isn’t a risk makes us more complacent,” she said.
HERE’S MORE More

The Australian Department of Defence has released a new report on its findings for how to reduce the ethical risk of artificial intelligence projects, noting that cyber mitigation will be key to maintaining the trust and integrity of autonomous systems.
The report was drafted following concerns from Defence that failure to adopt emerging technologies in a timely manner could result in military disadvantage, while premature adoption without sufficient research and analysis could result in inadvertent harms.
“Significant work is required to ensure that introducing the technology does not result in adverse outcomes,” Defence said in the report [PDF].
The report is the culmination of a workshop held two years ago, which saw organisations, including Defence, other Australian government agencies, the Trusted Autonomous Systems Defence Cooperative Research Centre, universities, and companies from the defence industry come together to explore how to best develop ethical AI in a defence context.
In the report, participants have jointly created five key considerations — trust, responsibility, governance, law, traceability — that they believe are essential during the development of any ethical AI project.
When explaining these five considerations, workshop participants said all AI defence projects needed to have the ability to defend themselves from cyber attacks due to the growth of cyber capabilities globally.
“Systems must be resilient or able to defend themselves from attack, including protecting their communications feeds,” the report said.

“The ability to take control of systems has been demonstrated in commercial vehicles, including ones that still require drivers but have an ‘internet of things’ connection. In a worst-case scenario, systems could be re-tasked to operate on behalf of opposing forces.”
Workshop participants added there is a risk that a lack of investment in sovereign AI could impact Australia’s ability to achieve sovereign decision superiority.
As such, the participants recommended increasing early AI education to military personnel to improve the ability for defence to act responsibly when working with AI.
“Without early AI education to military personnel, they will likely fail to manage, lead, or interface with AI that they cannot understand and therefore, cannot trust,” the report said. “Proactive ethical and legal frameworks may help to ensure fair accountability for humans within AI systems, ensuring operators or individuals are not disproportionately penalised for system-wide and tiered decision-making.”
The report also endorsed investment into cybersecurity, intelligence, border security and ID management, investigative support and forensic science, and for AI systems to only be deployed after demonstrating effectiveness through experimentation, simulation, or limited live trials.
In addition, the report recommended for defence AI projects to prioritise integration with already-existing systems. It provided the example of automotive vehicle automation as it provides collision notifications, blind-spot monitoring, among other things that support human driver cognitive functions.
The workshop members also created three tools that were designed to support AI project managers with managing ethical risks.
The first two tools are an ethical AI defence checklist and ethical AI risk matrix, which can be found on the Department of Defence’s website.
Meanwhile, the third tool is an ethical risk assessment for AI programs that require a more comprehensive legal and ethical program plan. Labelled as the Legal and Ethical Assurance Program Plan (LEAPP), the assessment requires AI project managers to describe how they will meet the Commonwealth’s legal and ethical assurance requirements.
The LEAPP requires AI project managers to create a document with information, such as legal and ethical planning, progress and risk assessment, and input into Defence’s internal planning, including weapons reviews. Once written, this assessment would then be sent for review and comment by Defence and industry stakeholders before it is considered for Defence contracts. 
As the findings and tools from the report are only recommendations, the report did not specify what AI defence projects fit within the scope of the LEAPP assessment.  
Related Coverage More

Image: ZDNet
Microsoft has begun deploying this week KB4577586, a Windows update that permanently removes the Adobe Flash Player software from Windows devices.
The update was formally announced last year at the end of October when Microsoft and other browser makers were preparing for the impending Flash end-of-life, scheduled for the end of 2020.
According to a support document published at the time, the update was initially supposed to be optional.
System administrators who wanted to remove Flash before the EOL date could access the Microsoft Update Catalog, download the KB4577586 packages, and remove Flash to avoid any security-related issues.
But this week, multiple Windows 10 users reported that Microsoft is now forcibly installing KB4577586 on their devices and removing Flash support from the OS.
While users might think this would cause issues for some enterprises, it actually does not. Last year, Adobe introduced a time bomb in the Flash Player code that prevents the Flash Player app from playing content after January 12.
Even if Flash Player is installed on a Windows device, the OS wouldn’t be able to play any content due to this time bomb — a well-known issue that has created problems in countries such as China and South Africa last month.

It appears that Microsoft has also learned of this time bomb and has decided to push KB4577586 to Windows 10 systems this week to remove any Flash code since the app doesn’t work anyway. More

Image: zhushenje
The US Department of Justice has unsealed today new charges against the Lazarus Group, a codename given to North Korea’s state-sponsored military hacking groups.
The new indictment expands charges initially brought against Park Jin Hyok, a North Korean military hacker the US charged in September 2018 for his involvement in the Sony hacks, WannaCry ransomware attacks, and bank cyber-heists.
The new indictment unsealed today charges two additional North Korean hackers, namely Jon Chang Hyok (전창혁), 31, and Kim Il (김일), 27, and expands the charges brought against Park in 2018.

US officials say the three hackers are part of units of the Reconnaissance General Bureau (RGB), a North Korean military intelligence agency, part of which they participated in a worldwide hacking campaign that dates back to 2014 and includes the likes of:
The hack of Sony Pictures Entertainment in 2014, in retaliation for the studio releasing The Interview movie.
Cyber-heists at banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and across Africa. The group targeted the bank’s SWIFT money transfer system in attempts to steal more than $1.2 billion in funds.
ATM cash-out attacks using the FASTCash malware. One successful such attack took place in October 2018 when the group stole $6.1 million from Pakistan’s BankIslami.
The WannaCry ransomware outbreak of May 2017.
Creating and spreading malware-laced cryptocurrency apps that stole users’ funds. Examples include Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale.
Hacks of cryptocurrency exchange portals. The DOJ said the RGB targeted hundreds of such entities and stole tens of millions of US dollars.
Spear-phishing campaigns targeting US defense contractors, energy companies, aerospace companies, technology companies, the United States Department of State, and the United States Department of Defense.
Creating a fake cryptocurrency company and releasing the Marine Chain Token. The US DOJ said the scheme would have allowed users to purchase ownership of marine vessels via a cryptocurrency token, allowing the North Korean state to gain access to investor funds and bypass US sanctions.
US officials said that while campaigns were geared towards intelligence collection, most were criminal endeavors to gather funds for the hermit kingdom’s regime.
Assistant Attorney General John Demers described the three hackers and the Lazarus Group as “the world’s leading bank robbers” and “a criminal syndicate with a flag.”
One more money mules charged
But today, the DOJ also said it charged a Canadian national named Ghaleb Alaumary for helping the Lazarus Group launder some of their stolen funds.

“Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes,” DOJ officials said.
He allegedly organized crews of money launderers in the US and Canada to receive stolen funds and then relay the funds to other accounts under the hackers’ control.
This included laundering funds stolen from the BankIslami ATM cash-out attack, another ATM cash-out from an Indian bank that took place in 2018, and funds stolen from a Maltese bank in 2019.
Alaumary is now the third Nortk Korean money muled charged in the US after the DOJ charged two Chinese nationals in March 2020.
A copy of today’s indictment is available here, in PDF format.
Besides the DOJ charges, the US Cybersecurity and Infrastructure Security Agency has also released a report today on the AppleJeus malware, which the Lazarus Group has often used during attacks on cryptocurrency exchange portals. More

Creating malicious Office macros is still the most common attack technique deployed by cyber criminals looking to compromise PCs after they’ve tricked victims into opening phishing emails.
Phishing emails are the first stage in the attack for the majority of cyber intrusions, with cyber criminals using psychological tricks to convince potential victims to open and interact with malicious messages.
These can include creating emails which claim to come from well-known brands, fake invoices, or even messages which claim to come from your boss.
There are number of methods which cyber criminals can exploit in order to use phishing emails to gain the access they require and according to researchers at cybersecurity company Proofpoint, Office macros are the most common means of achieving this.
Macros are a function of Microsoft Office which allows users to enable automated commands to help run tasks. However, the feature is also abused by cyber criminals. As macros are often enabled by default to run commands these can be used to execute malicious code, and thus provide cyber criminals with a sneaky way to gain control of a PC.
Many of these campaigns will use social engineering to encourage the victim to enable macros by claiming the functionality is need in order to view a Microsoft Word or Microsoft Excel attachment. It’s proving a successful method of attack for cyber criminals, with Office macros accounting for almost one in ten attacks by volume.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

But Office macros are far from the only attack technique which cyber criminals are commonly adopting in order to make hacking campaigns as successful as possible.
Sandbox evasion is the second most common attack technique used by criminals distributing phishing emails.
This is when the developers of malware build in threat-detection which stops the malware from running – effectively hiding it – if there’s a suspicion that the malware is running on a virtual machine or sinkhole set up by security researchers. The aim is to stop analysts from being able to examine the attack – and therefore being able to protect other systems against it.
PowerShell is also still regularly abused by attackers as a means of gaining access to networks after getting an initial foothold following a phishing email. Unlike attacks involving macros, these often rely on sending the victim to click a link with code to execute PowerShell. The attacks are often difficult to detect because they’re using a legitimate Windows function, which is why PowerShell remains popular with attackers.
Other common attack techniques used to make phishing emails more successful include redirecting users to websites laced with malicious HTML code which will drop malware onto the victim’s PC when they visit, while attackers are also known to simply hijack email threads, exploiting how victims will trust a known contact and abusing that trust for malicious purposes, such as sending malware or requesting login credentials.
The data on the most common attack techniques has been drawn from campaigns targeting Proofpoint customers and the analysis of billions of emails.
“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. The best simulations mimic real-world attack techniques,” said Proofpoint researchers in a blog post.
MORE ON CYBERSECURITY More

Singtel has confirmed that personal details of 129,000 customers as well as financial information of its former employees have been compromised in a security breach that involved a third-party file-sharing system. Credit card details belonging to staff of a corporate client and information tied to 23 enterprises, including suppliers and partners, also have been leaked in the incident. 
The announcement Wednesday came just under a week after the Singapore telco revealed “files were taken” in an attack that affected a file-sharing system, called FTA, which was developed two decades ago by Accellion. Singtel said it had used the software internally and with external stakeholders. 
Following its investigations, the telco said compromised personal data belonging to 129,000 customers contained their identification number alongside some other data that included name, date of birth, mobile number, and physical address. 

Bank account details of 28 former Singtel staff and credit card details of 45 employees of a corporate client with Singtel mobile lines also were leaked. In addition, “some information” from 23 enterprises including suppliers, partners, and corporate clients were compromised. 
Singtel would not offer further details on what exactly this information was, citing security reasons. 
The telco did say that a large part of the leaked data compromised internal information that was non-sensitive, such as data logs, test data, reports, and email messages. 
It said it had begun notifying affected individuals and enterprises about the breach and was offering help to mitigate potential risks from the breach. This included provisions for a data service provider to provide identity monitoring services, at no additional cost to affected customers, which would be instructed on how to sign up for the service.

Singtel’s group CEO Yuen Kuan Moon said: “While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount. We have disappointed our stakeholders and not met the standards we have set for ourselves.
“Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge,” Yuen said, adding that its investigations were ongoing to ascertain the full extent of the breach. 
He noted that Singtel’s core operations and functions were unaffected and it was conducting a “thorough review” of its systems and processes. 
Informed only recently of product’s end of lifecycle
ZDNet last week had asked Singtel why it still was using FTA, a 20-year file-sharing product that Accellion said was nearing the end of its lifecycle, but the telco then would not address the question. 
On an updated FAQ posted on its website, Singtel noted that it had continued to use the software since it was “still a current product offered and supported by Accellion”. The telco revealed that Accellion only announced the product’s end of life on January 28 this year, effective from April 30. 
Accellion had released a statement February 1 that said its FTA system was a legacy large-file transfer software nearing the end of its lifecycle. 
Singtel said: “It was unfortunate the attack occurred while we were conducting a review to upgrade or replace the product. And despite promptly updating the vulnerability patches provided by Accellion, the patches failed.”
The telco last week said Accellion’s first fix was deployed on December 24, while a second patch was applied on December 27. Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the December 27 patch proved ineffective, according to Singtel, which said it then took the FTA system offline. 
A subsequent patch was provided on January 30 to plug a new vulnerability, which the telco said triggered an anomaly alert when efforts were made to deploy it. It was notified by Accellion that its system could have been breached on January 20 and, following its investigations, Singtel confirmed on February 9 that data had been compromised. 
RELATED COVERAGE More