Information Technology

Security vulnerabilities in popular online meeting service and events website Meetup could have allowed cyber attackers to gain access to the profiles of millions of members, according to a security company.
Researchers from security company Chechmarx found it was possible to combine cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on the site to gain administrator privileges, enabling them to perform actions ranging from the annoying – like cancelling or changing events – to the fraudulent, including looking at information about users or redirecting PayPal payments.
Researchers found it was possible to inject malicious script into posts made in the discussion section of the Meetup page – something that’s enabled by default on every event.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
However, the script would be hidden to users, but could allow attackers to take advantage by combining it with a CSRF attack – allowing them to carry out unauthorised commands which they can exploit to gain control of groups.

“When you have these two vulnerabilities, it’s basically the Holy Grail for a hacker. Because what it means if an organiser page runs the script in the browser, we can actually use their role of administrator to do whatever we want,” Erez Yalon, director of security research at Checkmarx told ZDNet.
On an individual MeetUp group level, an attacker could exploit this to take control of the page, view personal information and redirect finances, something that would be frustrating for victims, but not a huge cybersecurity event.
However, researchers also found it was possible to spread the vulnerability with a worm, meaning that if unleashed in the wild, the whole site could become compromised by attackers taking control of groups and diverting funds.
“Even if I just started with several groups, everyone in them becomes an agent to spread the worm,” he said. “Then when organisers are infected, they can move the funds to our own malicious PayPal. In a day or two we could infect each and every Meetup group – that would be a massive attack on the platform”.
After uncovering the vulnerabilities disclosed them to Meetup who released a security patch which fixed the issue earlier this year. Meetup told Checkmarx “Meetup takes reports about its data security very seriously, and appreciates Checkmarx’s work in bringing these issues to our attention for investigation and follow up.” ZDNet has contacted the company for additional comment.
What enabled the vulnerability was the ability to add scripts to the discussion page – and this could have been prevented if an allow list was used. By specifying which commands are acceptable for the page it means strange code or commands can’t be entered.
Using this is preferable to a deny list because an allow list requires listing every potential way commands could be worked around – and attackers will always attempt to find new ways of doing this that developers might not think of.
“When you’re using a deny list you’re hoping you can think of all the ways an attacker could use your system – I can promise you that every attacker will find things you didn’t think an attacker could do,” said Yalon, who argued that there’s a key takeaway from the research for other organisations.
“Make sure you’re using an allow list when filtering inputs,” he concluded.
READ MORE ON CYBERSECURITY More

Image: McAfee, ZDNet
The operators of the NetWalker ransomware are believed to have earned more than $25 million from ransom payments since March this year, security firm McAfee said today.
Although precise and up-to-date statistics are not available, the $25 million figure puts NetWalker close to the top of the most successful ransomware gangs known today, with other known names such as Ryuk, Dharma, and REvil (Sodinokibi).

McAfee, who recently published a comprehensive report about NetWalker’s operations, was able to track payments that victim made to known Bitcoin addresses associated with the ransomware gang.
However, security experts believe the gang could have made even more from their illicit operations, as their view wasn’t complete.
A short intro and history to NetWalker
NetWalker, as a ransomware strain, first appeared in August 2019. In its initial version, the ransomware went by the name of Mailto but rebranded to NetWalker towards the end of 2019.

The ransomware operates as a closed-access RaaS — a ransomware-as-a-service portal. Other hacker gangs sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.
The distribution is left to these second-tier gangs, known as affiliates, and each group deploys it as they see fit.
Through this vetting process, NetWalker has recently begun selecting affiliates specialized in targeted attacks against the networks of high-value entities, rather than those specialized in mass-distribution methods such as exploit kits or email spam.
The reason is that targeting larger companies in precise and surgical intrusions allows the gang to request bigger ransom demands as larger companies lose more profits while they’re down, compared to smaller firms.
In particular, the NetWalker author appears to favor affiliates capable of executing intrusions via network attacks — on RDP servers, networking gear, VPN servers, firewalls, etc. — according to an ad on a hacking forum found by this reporter earlier this year. Of note, the NetWalker author, going by the name of Bugatti, was only interested in hiring Russian-speaking clients only.

Historically, McAfee experts say NetWalker has carried out intrusion by using exploits in Oracle WebLogic and Apache Tomcat servers, by entering into networks via RDP endpoints with weak credentials, or by spear-phishing staff at important companies.

Image: McAfee
But according to an FBI alert published last week, more recently, the group has also incorporated exploits for Pulse Secure VPN servers (CVE-201911510) and exploits for web apps that use the Telerik UI component (CVE-2019-18935) to diversify their arsenal.
The same alert also warned US companies and government organizations to make sure to update their systems, as the bureau saw an uptick in activity from the NetWalker gang, which even hit some government networks.
NetWalker activity has ramped up in recent months
Currently, NetWalker’s most high-profile victim is Michigan State University, which the group infected in late May, as part of several intrusions at several US universities.
However, McAfee says that NetWalker also poses a risk for companies all over the globe, and not just the US — or Western Europe, another regular NetWalker hunting ground.
Per statistics supplied to ZDNet by ransomware identification service ID-Ransomware, NetWalker activity has been picking up in recent months, a sign that its RaaS portal is a hit among the cyber-criminal underground.

Image: MalwareHunterTeam
With more than $25 million obtained form ransom payments, NetWalker’s popularity is bound to grow even larger.
And one of the reasons why the gang has been so popular is also because of its “leak portal,” a website where the gang publishes the names and releases data from victims who refuse to pay its ransom demand.
The site operates based on simple principles and is one of the many similar such ransomware leak sites.
Once a NetWalker affiliate breaches a network, they first steal a company’s sensitive data, then encrypt files.
If the victim refuses to pay to decrypt files during initial negotiations, the ransomware gang creates an entry on their leak site.
The entry has a timer, and if the victim still refuses to pay, the gang leaks the files they stole from the victim’s network.

Image: ZDNet
The site has helped NetWalker put additional pressure on victims, many who fear having intellectual property or sensitive user data leaked online, while others who fear having their name tarnished in the press, as the site and its most recent victims are often cited in news articles, and many companies will pay just not to have their name listed on it in the first place. More

Microsoft has released an optional update for Windows 10 version 2004 that addresses a long list of bugs affecting the functionality of PCs, including several driver issues that caused Microsoft to block the feature update on some machines. 
This update brings a fix for an issue in certain LTE modems that prevented devices from reaching the internet after updating to Windows 10 version 2004, also known as the Windows 10 May 2020 Update. Microsoft fixed a similar problem in the optional update for Windows 10 versions 1909 and 1903 earlier this month.  

Windows 10

The new preview update, KB4568831, brings Windows 10 version 2004 up to build 19041.423. It’s also the precursor to an update due out in mid-August that should allow Microsoft to lift compatibility holds on devices with drivers from Nvidia, Intel and Realtek, which were discovered to have problems immediately after Microsoft released the feature update.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
One fix in KB4568831 addresses an issue that caused Magnifier to stop working in Excel and stopped Excel from working. Microsoft also notes that 4K high dynamic range (HDR) content was being displayed “darker than expected when you configure certain non-HDR systems for HDR Streaming”. That issue should now be fixed. 

Other glitches fixed include one that caused the Settings page to close unexpectedly, preventing default applications from setting up properly, as well as a bug that stopped some applications from printing to network printers. 
There are two fixes for recent problems affecting Storage Spaces, Microsoft’s RAID-like data protection software. Microsoft confirmed user reports over problems with Storage Spaces in Windows 10 2004 in mid-June and two weeks later offered troubleshooters to partially mitigate the issues, particularly around damaged files in the utility’s ‘parity’ archiving feature. 
According to Microsoft, this update “addresses an issue with in-memory parity bitmaps that can cause data-integrity issues on Parity Storage Spaces”.  
Additionally, it cures a problem preventing users from creating a storage pool using Manage Storage Spaces in Control panel. 
There are several fixes for issues affecting enterprise security product Microsoft Defender ATP in Windows 10 2004. One prevented some PCs from automatically going into Sleep mode, while another prevented some PCs from running Microsoft Defender ATP Threat & Vulnerability Management successfully. 
Automatic investigations were also failing in Microsoft Defender ATP and the update improves the product’s ability to identify malicious code injection activities.    
SEE: Windows 10: How long will your next feature update take to install?
Microsoft indicates on its Windows 10 2004 update health dashboard that it’s fixed several driver-compatibility issues. However, the compatibility holds will remain in place until an update is released in mid-August, which is likely to be the next Patch Tuesday update. 
A compatibility problem with Windows 10 2004 and older drivers for Nvidia display adapters cropped up a day after Microsoft released this version of Windows 10, prompting it to block the feature upgrade for affected devices. 
Microsoft says it’s been mitigated externally. But the block is still in place, and the company has now clarified that the affected Nvidia drivers are “any version lower than 358.00”.
The optional update also resolves an issue preventing Windows 10 PCs with certain Realtek drivers from connecting to more than one Bluetooth device. That block will remain in place until mid-August, too. 
And it fixes a compatibility issue affecting devices with Intel integrated GPUs as well as an incompatibility issue with apps or drivers using certain versions of aksfridge.sys or aksdf.sys and Windows 10, version 2004. Again, a fix is due in mid-August.  More

2gether has revealed a cyberattack in which roughly €1.2 million in cryptocurrency has been stolen from cryptocurrency investment accounts. 

Founded in 2017, 2gether offers a cryptocurrency trading platform within the Eurozone for buying and selling without additional fees. The organization’s native coin is the 2GT token, which is — or, at least, was — due to be issued during 2020 following a pre-sale in Spain. 
However, on July 31 at 6.00 pm CEST, the trading platform suffered a cyberattack on its servers. 
The unknown threat actors reportedly behind the attack made off with €1.183 million in cryptocurrency in investment accounts, which equates to 26.79% of overall funds. 
See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

In a stream of Twitter updates posted by 2together CEO Ramón Ferraz Estrada, the executive was keen to emphasize that general wallets and Euro accounts were not impacted, nor were the financial details of payment cards used to deposit funds. 
However, user passwords were also compromised in the security breach, and it is recommended that users change them. 
2together has not revealed how the security incident took place. An investigation is underway to find out how the cyberattackers managed to obtain access to the company’s servers, as well as the full extent of the damage caused. 
The cryptocurrency platform added that information is being “gathered” to give to local authorities. 
In an update posted August 1, Ferraz, Chairman Salvador Casquero, and Director Luis Estrada said the “extremely difficult situation has brought us all a lot of uncertainty,” branding the hackers responsible as “soulless individuals.”
The executives said that following the theft, the platform does not have enough funds to cover all of its bases and so an emergency discussion took place with an unnamed “investment firm” to try and secure a cash injection.  
However, an agreement was not reached — and so the only alternative is to offer users the equivalent of their stolen cryptocurrency in the native 2GT token.
CNET: The best home security camera of 2020
“We want to compensate the amount of stolen cryptocurrency (26.79% of your position before the attack) with a volume in 2GT equivalent to the issuance price of 5 cents,” the team said. “On top of that, we commit to keep looking, at top capacity and as soon as possible, for additional funds to make up for every single one of your cryptocurrencies.”
The executives said that if it was possible to use other funds, they would, but in the meantime, the technical team is working on reestablishing the trading app to reopen access “as soon as possible and with all the security measures available.”
A Reddit Ask Me Anything (AMA) will take place in the next few days to answer investor questions, according to 2gether. 
TechRepublic: Security analysts: Industry has not solved the talent gap or provided clear career paths
“We hope you can see these hard times and adverse events compensated soon, whether you decide to give us the vote of confidence we’re asking you for or not,” the team added.
In other cryptocurrency news, last week, China arrested 109 individuals in a massive sting connected to the PlusToken Ponzi scheme. 
The South Korean exchange was touted as a high-yield investment for those with little experience in cryptocurrency, while also offering a commission for members who sign up new traders. When the team performed what is thought to be an exit scam, an estimated $3 – $6 billion in deposits was taken, and many of the PlusToken management team fled abroad.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Anyone entering Singapore who has to serve a 14-day stay-home quarantine will soon need to wear an electronic monitoring device, which must be activated once they arrive at their place of residence. The device taps GPS as well as cellular and Bluetooth signals to determine if the wearer is within the range of their permitted location. 
If the monitoring device is not activated as required, the relevant authorities will check on the person’s location and work to resolve any technical issues or take enforcement action, whichever is needed. Non-compliance or any attempts to tamper or remove the device during the stay-home period will result in prosecution, according to a joint statement Monday by Singapore’s Immigration & Checkpoints Authority, Ministry of Manpower, and Ministry of Education. 

Is Singapore ready to govern a digital population?
Amidst the country’s accelerated digitalisation efforts, and as voters head to the polls, the Singapore government must realise it also needs to transform the way it engages its population, which increasingly will demand answers as more come online along with their personal data.
Read More

Anyone caught breaching the order may be charged with a fine of up to SG$10,000 and/or jail term of up to six months. Foreigners also may face other administrative actions including revoking or shortening of their permits and passes to remain or work in the city-state. 
The government agencies said the move was necessary to “enhance” compliance with quarantine orders as Singapore gradually reopened its borders to international travel and, hence, reduce the risk of COVID-19 transmission by new entrants to the local community. 
The agencies have been monitoring stay-home compliance through manual and automated text messages as well as phone and video calls. Physical house visits also are made to ensure compliance. The addition of wearable monitoring devices will enable the government to monitor those serving stay-home orders more effectively as travel restrictions are lifted.

Since March 21, all incoming travellers are required to serve a 14-day stay-home notice upon entering Singapore, where they can do so either at their place of residence or dedicated facilities. They are tested for COVID-19 before the end of their stay-home notice period. 
From August 10, anyone serving their stay-home notice outside of dedicated facilities will need to wear the electronic monitoring device throughout the 14-day period. The mandate applies to all incoming travellers including citizens, work pass holders, and long-term pass holders, but excludes those aged 12 and below. Students serving their stay-home orders in hostels within educational institutions also are excluded, since they will be under close observation at such facilities. 
The monitoring devices will be issued at checkpoints after immigration clearance and must be activated once travellers reach their place of residence. According to the government agencies, the monitoring device neither stores personal data nor have voice or video recording functions. 
They said information, such as GPS and Bluetooth signal data, transmitted from the device to the authorities’ backend system will be protected by “end-to-end certificate-based encryption”. 
They added that authorities would abide by public sector data protection rules in managing and safeguarding personal data collected through the monitoring device, which would be accessed only by authorised agents for the purposes of monitoring and investigation. 
During the 14-day stay-home period, device wearers may receive notifications on their device and will need to acknowledge these in a “timely manner”. Attempts to leave their place of residence, outside of their scheduled appointments for COVID-19 tests, or tamper with the device will trigger an alert, which is sent to the authorities for follow-up investigations. 
These monitoring devices are to be deactivated after the stay-home notice is fulfilled and disposed of or returned according to instructions provided. 
Singapore has developed an app as well as wearable devices to aid in its contact tracing efforts, but has yet to make their use mandatory. Initial news about its plans to roll out wearable devices had triggered an outcry amongst those concerned about their privacy. 
The country’s COVID-19 infections in recent weeks have included imported cases, including nine today, all of whom had been placed on stay-home orders upon their arrival.
RELATED COVERAGE More

In a press release last week, the Minister of Internal Affairs of Belarus announced the arrest of a 31-year-old man on charges of distributing the GandCrab ransomware.
The man, whose name was not released, was arrested in Gomel, a small city in southeastern Belarus, at the intersection with the Russian and Ukraine border.
Authorities said the man had no previous convictions prior to his arrest but had signed up on a hacking forum to become an affiliate for the GandCrab ransomware operation.
He allegedly rented access to a web panel where he tweaked settings to obtain a custom version of the GandCrab ransomware, which he would later send out as boobytrapped files to other internet users using email spam.
Victims who opened the files would get infected and have their files encrypted, needing to pay a ransom fee to obtain a decryption app and recover their files.
Suspect made more than 1,000 victims

Belarussian officials said the suspect infected more than 1,000 computers while a GandCrab affiliate (also known as a “distributor”). From each victim, the suspect demanded around $1,200 paid in Bitcoin., although officials didn’t say how many paid.
Vladimir Zaitsev, Deputy Head of the High-Tech Crime Department of the Ministry of Internal Affairs, said the suspect infected victims in more than 100 countries, with the most located in India, the US, Ukraine, the UK, Germany, France, Italy, and Russia.
Officials said they received help from law enforcement from the UK and Romania in tracking down and identifying the hacker.
Authorities also said the suspect was unemployed and distributed cryptominers and wrote code for other users on hacking forums.
GandCrab author still at large
The GandCrab ransomware is now defunct. The operation — known as a RaaS (Ransomware-as-a-Service) — launched in early 2018, had tens of affiliates and shut down in June 2019.
In a post on a hacking forum, the GandCrab team bragged about earning more than $2 billion from their scheme — a claim researchers deemed an exaggeration as they could never prove to be true.
Under the hood, the ransomware wasn’t that well put together and allowed security researchers to release free decryption utilities on multiple occasions [1, 2, 3, 4]. Towards June 2019, the service was losing affiliates as distributors moved to other RaaS offers that had a stronger offering and took a smaller cut of their profits.
During its final days, GandCrab affiliates experimented with targeting managed service providers or MySQL servers for more focused intrusions. Nowadays, many security researchers believe the GandCrab authors moved on to create the new Sodinokibi (REvil) ransomware/
Belarusian authorities said GandCrab made more than 54,000 victims across the world, including 156 in their country.
The authors of the GandCrab ransomware are still unidentified in the public eye and at large. More

Telstra CEO Andy Penn with a mmWave hotspot
Image: Telstra
Telstra CEO Andy Penn said on Monday the telco intends to have 75% of the population covered by its 5G footprint by June 2021.
“Our 5G network already covers around one-third of the population,” Penn said.
“Telstra’s 5G is already rolling out in 53 cities and regional towns across Australia and more than 10 million Australians now live, work or pass through our 5G network footprint every day.”
The CEO tied the new goal to the company’s coronavirus response that saw Telstra bring forward AU$500 million of capital expenditure slated for the second half of the next fiscal year into the calendar 2020 year.
“This capital will be deployed to increase capacity in our network, including further accelerating the rollout of 5G and injecting much needed investment into the economy at this time,” Telstra said in March.

Over 210,000 5G services are connected to Telstra’s network, the CEO said.
Penn also responded to criticism over the telco’s latest plan structure, in which Telstra dropped its 5G fee, but bumped up the price of its base plans by at least AU$5 a month.
The “small” plan the telco offers now charges AU$55 a month for 40GB, medium is AU$65 for 80GB with 5G data thrown in, large now costs AU$85 for 120GB including 5G, and the extra large plan will see a AU$15 increase to AU$115 for 180GB with 5G connectivity.
Penn said on Monday the telco would be “inviting” eligible customers to shift to the new plans before the end of September, and if they do so, they will receive 12 months of credit to make up the difference between the plans.
“This is in addition to the fact that all of our plans feature no lock-in contracts and no excess data charges, unlike some of our competitors, where there can be up to AU$1500 of excess data charges tucked quietly behind the upfront charges,” Penn said.
“Put simply, we are providing more data for the same price and committing to hold our price for twice as long as our major competitor because right now that’s what customers need.”
On Sunday, Telstra’s domain name servers fell over under what was initially pinned as a denial of service attack, but later revealed to be caused by Telstra denying itself.
“The massive messaging storm that presented as a Denial of Service cyber-attack has been investigated by our security teams and we now believe that it was not malicious, but a Domain Name Server issue,” the telco said on Sunday.
Last week, Telstra released a report from Forrester that said 52% of respondents felt their organisation had continuity plans that could address cyber attacks.
“A further 79% reported not having security analytics — security information management, managed security service provider), or cloud-native — in place to protect ‘as-a-service’ environments that are offered via cloud deployment,” the report said.
It added that two-thirds of respondents did not feel their organisation could handle a large base of remote workers before coronavirus struck, with 40% stating changes have been made as a result, and over 30% have thought about changes to endpoint security and VPNs.
Related Coverage More

On Sunday, August 2, Microsoft acknowledged publicly and officially that Microsoft is in discussions regarding purchasing the U.S. operations of the TikTok video platform. Microsoft officials said via a blog post that Microsoft CEO Satya Nadella and President Donald Trump had met and Microsoft was “prepared to continue discussions to explore a purchase of TikTok in the United States.”Microsoft “is committed to acquiring TikTok subject to a complete security review and providing proper economic benefits to the United States, including the United States Treasury,” the blog post said.Microsoft is discussing both owning and operating TikTok in the U.S., Canada, Australia and New Zealand, officials said. Microsoft may invite other investors to take a minority share in the purchase.Microsoft plans to continue discussions with TikTok’s parent company, ByteDance “ina matter of weeks” and will complete the discussions no later than September 15, 2020, officials said. During that time, Microsoft plans to continue discussions with the U.S. government, including Trump, the blog post said.Microsoft would insure that it adds “world-class security, privacy and digital safety protections,” the blog post said. Microsoft also would ensure that all private data from TikTok’s U.S. users will be transferred to and remain in the U.S. If any of that data is currently stored or backed up outside the U.S., Microsoft would ensure it is deleted from servers outside the country after it is transferred, the blog post said. 
TikTok claims its datacenters are located entirely outside China and that none of its data is subject to Chinese law. ByteDance operates a separate service called Douyin to serve the Chinese market. ByteDance currently operates its own hyperscale datacenters in the U.S., and stores all U.S. user data in the U.S., with backup redundnacy in Singapore, according to the company. Microsoft officials characterized the discussions as “preliminary,” and noted that Microsoft does not intend to provide any further updates on the discussions until there is a definitive outcome.
On July 31, word that Microsoft was discussing the possibility of purchasing TikTok’s U.S. operations from ByteDance began circulating. Over the weekend, Microsoft was reported to have halted talks with ByteDance because of concerns that Trump might ban TikTok in the U.S.
It’s unclear exactly why Microsoft, which has become mostly an enterprise tech vendor, wants TikTok. It’s also unclear how much Microsoft will be willing to pay for it. More