Information Technology

The US Securities and Exchange Commission (SEC) has issued an alert warning investors of dubious, unregistered companies in the cryptocurrency space. 

SEC maintains a list of companies that are soliciting business — whether at home, or abroad — that are on the radar due to alleged unscrupulous practices and registered investor complaints. 
Known as the Public Alert: Unregistered Soliciting Entities (PAUSE) list, the US agency says the warnings are designed to “enable investors to better inform themselves and avoid being a victim of fraud.”
On Thursday, SEC updated PAUSE (.PDF) with a further 28 companies, eight of which were associated with cryptocurrency services in some way. 
At the time of writing, the websites of four companies listed with names that appear to be crypto-related — Bitminingfx, Cloudinmine, Cryptobravos, and FX Bitcash — are unavailable. 
However, a Google search on the first three companies results in accusations of scams and fraud. In the case of FX Bitcash, views appear to be polarized — although it is not possible to verify reviews — and there is little information available on the organization now the website has been pulled. 
The other companies of interest listed by SEC include AxTrading-Investment, which claims to be made up of a team of cryptocurrency investment experts. Passive Trade Plan claims to be a “trusted authority on digital currency investing,” and Reclaws International boasts of lawyers able to assist in crypto-related scams and Initial Coin Offerings (ICOs). 

Another business name on SEC’s watchlist is RetireWell Investors. This company requires a $500 “minimum investment” in its cryptocurrency services at a claimed 3% weekly return on investment (ROI). 
Finally, SmartCoins24 is included. This firm boasts a “90%” success rate on “all trades,” including Bitcoin (BTC) and Ethereum (ETH). 
“By updating the PAUSE list, we continue to provide the public with information we have learned in reviewing tips, complaints, referrals, and other sources so that investors can be alerted to potential fraud before they invest,” commented Jennifer Diamantis, SEC’s Office of Market Intelligence chief.
However, the agency does note that inclusion on the list does not mean federal investigators have found violations of securities laws, nor that any “judgments have been made” concerning securities offerings. 
Instead, PAUSE should be considered a warning. As with any investment, you should conduct due diligence and research an offering — and when it comes to cryptocurrency, this caution is just as important. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to bounce and amplify junk traffic as part of DDoS attacks, security firm Netscout said in an alert on Tuesday.
Not all RDP servers can be abused, but only systems where RDP authentication is also enabled on UDP port 3389 on top of the standard TCP port 3389.
Netscout said that attackers can send malformed UDP packets to the UDP ports of RDP servers that will be reflected to the target of a DDoS attack, amplified in size, resulting in junk traffic hitting the target’s system.
This is what security researchers call a DDoS amplification factor, and it allows attackers with access to limited resources to launch large-scale DDoS attacks by amplifying junk traffic with the help of internet exposed systems.
In the case of RDP, Netscout said the amplification factor is 85.9, with the attackers sending a few bytes and generating “attack packets” that are “consistently 1,260 bytes in length.”
An 85.9 factor puts RDP in the top echelon of DDoS amplification vectors, with the likes of Jenkins servers (~100), DNS (up to 179), WS-Discovery (300-500), NTP (~550), and Memcached (~50,000).
RDP servers already abused for real-world attacks
But the bad news don’t end with the amplification factor. Netscout said that threat actors have also learned of this new vector, which is now being heavily abused.

“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” researchers said.
Netscout is now asking system administrators who run RDP servers exposed on the internet to take systems offline, switch them to the equivalent TCP port, or put the RDP servers behind VPNs in order to limit who can interact with vulnerable systems.
Currently, Netscout said it is detecting more than 14,000 RDP servers exposed online and running on UDP port 3389.
Since December 2018, five new DDoS amplification sources have come to light. These include the Constrained Application Protocol (CoAP), the Web Services Dynamic Discovery (WS-DD) protocol, the Apple Remote Management Service (ARMS), Jenkins servers, and Citrix gateways.
According to the FBI, the first four have been abused in real-world attacks. More

Credit: Microsoft
Microsoft is rolling out version 88 of its Chromium-based Edge browser to the Stable channel, meaning mainstream users. This version of “Chredge” includes a number of new features, almost all of which have been in testing for months.Edge 88 is getting the Password Monitor feature Microsoft announced in March 2020. Password Monitor is not the same as a password manager like LastPass or Dashlane. The Chredge Password Monitor feature will notify users if the credentials they’ve saved to autofill have been detected on the dark web and, if so, provide a notification inside the browser suggesting users take action. Password Monitor may take a couple of weeks to show up for new Edge users, Microsoft officials said in a January 21 blog post.Also: Best password manager in 2021Edge 88 also includes an option to use a built-in password generator, which debuted in test builds of Edge in September 2020. The password generator can be used when users are signing up for a new account or changing an existing password. Users will see this as a browser-suggested password drop-down in the password field. If selected, the auto-generated password will be saved and sync across devices using Edge.
Password generator is available for Windows 7, 8 and 10, as well as macOS. Users must be signed into Edge with a Microsoft work or school account and password sync must be turned on. Password Monitor also is available for Windows 7, 8 and 10 and requires users to be signed into Edge with a Microsoft work or school account.History and tab sync are both also rolling out. (Many mainstream users, including me, have seen these sync capabilities show up in recent weeks.) History and tab sync are available to desktop and mobile customers who sign in with the same profile across devices. This feature can be turned on by going to Edge settings > profiles > sync and turning on the toggles.MacOS users now can use the Automatic Profile Switching feature in Edge, which lets users switch between work and personal browsing activities. And Microsoft also is giving users an option to see incoming emails directly from the new tab page in Microsoft Edge using a new smart tile for Outlook. This is another of those “stay in your flow” features which may not appeal to all users; those who want it can open the new tab page, click the plus sign next to quick links and add Outlook as a suggestion to see their three most recent emails and/or start a new mail or meeting request directly from the new tab page.Microsoft has added a sleeping tabs feature to the new Edge which releases system resources for inactive tabs in the name of performance. Users interested in this can enable the sleeping tabs option in the browser settings menu. Microsoft also has added new user-selectable themes for Edge in this release. The previously announced Sidebar Search feature, which opens a side panel when users highlight a word, right click and search, is part of the Chredge 88 update, as well.In semi-related news, Microsoft also is adding more features to Bing, including a way to aggregate job openings from different sources across the web which users can find by searching for “jobs near me.” And Microsoft is planning to add yet more shopping features to Bing and Edge “in the coming months,” officials said in today’s blog post. Microsoft rolled out some new shopping and coupon features to Bing and Edge in November 2020.
If you’re wondering whatever happened to the vertical tabs feature that Microsoft announced in March 2020 for the new Edge, it is still coming. An updated version of that feature rolled out to testers earlier this week; it’s still going to be a bit before it goes to us mainstream users. More

Image: QNAP
Taiwanese hardware vendor QNAP has published a security advisory today warning customers of a new malware strain named Dovecat that is currently targeting its line of network-attached storage (NAS) devices to abuse local resources and mine cryptocurrency behind users’ backs.
The company said the malware is currently spreading by connecting to QNAP NAS systems left exposed online using weak passwords.
Today’s security advisory comes after the company began receiving reports from its users last year about two unknown processes —named dovecat [1, 2] and dedpma— that were running non-stop and consuming the device’s memory.

Matthew Ruffell, a Canonical software engineer and the founder of Dapper Linux, analyzed the malware last year when it found it on an Ubuntu system.
According to his analysis, the malware was capable of infecting any Linux system but appeared to have been specifically designed for the internal structure of QNAP NAS devices.
The use of the “dovecat” process name wasn’t accidental either, as the malware tried to pass as Dovecot, a legitimate email daemon that ships with the QNAP firmware and many Linux distros.
But as Ruffell pointed out, Dovecat attacks were indiscriminate. Similar infections were also reported by users of Synology NAS devices, where the malware also appeared to have managed to run without problems.

Since the infection vector was linked to weak passwords, to prevent infections with this new threat, QNAP told users to:
Use stronger admin passwords.
Use stronger passwords for database administrators.
Disable SSH and Telnet services if not in use.
Disable unused services and apps.
Avoid using default port numbers (80, 443, 8080 and 8081).
Update QTS to the latest version.
Install the latest version of Malware Remover.
Install Security Counselor and run with Intermediate Security Policy (or above).
Install a firewall.
Enable Network Access Protection to protect accounts from brute force attacks.
Follow best practices for enhancing NAS security.
But in the grand scheme of things, Dovecat is not the first malware strain to target QNAP devices. QNAP storage systems were also previously targeted by the Muhstik ransomware, the QSnatch malware, the ec0raix ransomware, and the AgeLocker ransomware. More

Singapore has widened a cybersecurity labelling initiative to include all consumer Internet of Things (IoT) devices such as smart lights, smart door locks, smart printers, and IP cameras. The scheme, which initially applied only to Wi-Fi routers and smart home hubs, rates devices according to their level of cybersecurity features. 
The Cybersecurity Labelling Scheme was first introduced last October as part of the government’s efforts to enhance IoT security, boost general cyber hygiene, and better safeguard the country’s cyberspace. Then, only Wi-Fi routers and smart home hubs were included in the programme because of these devices’ wider usage and impact on users if there was a security breach. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

While voluntary, the labelling programme aimed to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost, the Cyber Security Agency of Singapore (CSA) had said. Consumers also would be able to identify products with better cybersecurity features.
The initiative assesses and rates smart devices into four levels based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. Level one, for instance, indicates a product has met basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.
CSA on Thursday said it had expanded the labelling programme to encompass “all categories” of consumer IoT devices. It added that this would provide consumers with information of the level of security that had been built into these devices — something that was not made readily available by manufacturers. 
The government agency noted that IoT devices were expected to see increased adoption over the next few years. With their short time-to-market and quick path to obsolescence, many of these consumer products were designed to optimise functionality and cost over security, CSA said. “As a result, many devices are being sold with poor cybersecurity provisions, with little to no security features built-in,” it said, adding that this posed security risks to users, whose privacy and data could be compromised. 
Compromised IoT devices also could be used to form botnets, from which Distributed Denial of Service (DDoS) attacks could be launched to bring down online services, the government agency said. It pointed to the Mirai botnet attack in 2016, which was carried out via IoT devices such as home routers and IP cameras. 

To drive adoption of the Cybersecurity Labelling Scheme amongst manufacturers here, CSA said application fees for the programme would be waived until October 6. 
While this initiative remained voluntary, manufacturers of Wi-Fi home routers, however, soon would have to meet mandatory security requirements before putting up their devices up for sale in Singapore. These would include unique login credentials and default automatic downloads of security patches. 
Slated to kick in from April 13 this year, the new mandate was first announced last October with the aim to enhance the security of home routers, as these were popular targets of malicious hackers looking to breach home networks. Detailed under the Infocomm Media Development Authority’s (IMDA) Technical Specifications for Residential Gateways, Wi-Fi home routers that complied with these requirements would qualify for the first level of the Cybersecurity Labelling Scheme. 
Home routers previously approved by IMDA would be permitted to remain on sale until October 12 this year. 
RELATED COVERAGE More

A hacker has leaked the details of millions of users registered on Teespring, a web portal that lets users create and sell custom-printed apparel.
The user data was leaked last Sunday on a public forum dedicated to cybercrime and the sale of stolen databases.
The Teespring data was made available as a 7zip archive that includes two SQL files. The first file contains a list of more than 8.2 million Teespring users’ email addresses and the date the email address was last updated.

Image: ZDNet
The second file includes account details for more than 4.6 million users.
Details included in this second SQL file a hashed version of the email address, usernames, real names, phone numbers, home addresses, and Facebook and OpenID identifiers users used to log into their accounts.
Other details related to a user’s Teespring online account information is also included and is not believed to be sensitive.
The good news is that not all accounts have this information filled, which reduces how the breach affected each Teespring user to the amount of granular data they provided to the company. Secondly, password data was not included; however, it is unclear if hackers gained access to passwords and just chose not to release them.

Image: ZDNet

The hacker who leaked the data goes by the name of ShinyHunters, a threat actor that has leaked billions of user records from hundreds of companies.
However, ShinyHunters is not believed to have been the person who breached Teespring.
The company’s data was initially offered for sale on the same forum and via private Telegram channels in December 2020, before being leaked for free last week by ShinyHunters in a common practice where data brokers sabotage each others’ sales.
A request for comment sent to an email address previously used by ShinyHunters also remained unanswered.
Teespring breach ocurred via Waydev app
A Teespring spokesperson told ZDNet the company was aware of the breach, which it disclosed on December 1, 2020. The company said the incident took place in June 2020 when a hacker managed to steal user data from its cloud infrastructure.
“Teespring had previously evaluated a 3rd party service called Waydev which required access to some of our data. This access was implemented via a technology called OAuth,” the company said.
“Unfortunately, Waydev retained the OAuth token for Teespring (and several other companies) which was accessed from Waydev without authorization by a third party. The token was then used to gain access to some of the Teespring infrastructure.”
The Waydev incident is well known and was previously covered by ZDNet in July 2020.
Teespring, founded in 2011, is currently ranked as one of the most popular 1,500 sites on the internet, on #1,410, according to the Alexa web traffic ranking.
Updated at 12:30pm ET with comment from Teespring. More

It’s known that the hackers behind the SolarWinds supply chain attack were highly-skilled and patient. But now Microsoft’s security researchers have outlined some of the operational security (OpSec) techniques and anti-forensic tricks the hackers displayed, which allowed them to remain undetected for long enough — not just on government agency networks, but in the networks of the US’ top cybersecurity firms. 

Microsoft and FireEye only detected the Sunburst or Solorigate malware in December, but Crowdstrike reported this month that another related piece of malware, Sunspot, was deployed in September 2019, at the time hackers breached SolarWinds’ internal network.  Other related malware includes Teardrop aka Raindrop.
Sunburst, a component of software called a dynamic link library (DLL), was injected into SolarWinds’s Orion infrastructure monitoring software to create a backdoor on networks that used Orion. Several of its payloads included custom loaders for the Cobalt Strike penetration testing kit. These loaders included Teardrop.     
Also: Best VPNs • Best security keys • Best antivirus   
“One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader,” Microsoft security researchers said in a new blogpost. 
“Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection.”
Based on SolarWinds’ recent disclosure that the attackers removed the Sunburst backdoor from SolarWinds’ software build environment in June 2020 after being distributed broadly to Orion customers in March 2020, Microsoft reckons the attackers – most likely Russian-backed – started “real hands-on-keyboard activity” as early as May. 

Microsoft researchers also estimate that the attackers “spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure.”
While the initial backdoor could have been on over 18,000 government agency and private sector networks, it was the”hands-on-keyboard” activity that led to the breach of valued targets, at which point the focus turned to lateral movement on the intended compromised networks. 

SolarWinds Updates

Microsoft said it found the attackers put in “painstaking planning of every detail to avoid discovery”.
The attackers also tried to separate the Cobalt Strike loader’s execution from the SolarWinds process “as much as possible” in order to protect the Cobalt Strike implant.
“Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed,” Microsoft explains. 
Some of the OpSec methods used by the attackers included methodically avoiding shared indicators of compromise for each compromised host, and exercising an “extreme level of variance” to avoid setting off alarms. 
“Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched,” Microsoft explains 
The attackers also renamed tools and binaries and put them in folders that looked like files and programs already present on a machine. 
They even prepared special firewall rules to minimize outgoing packers for certain protocols and then removed the rules after finishing reconnaissance. 
Microsoft’s report is unlikely to be the final report on how these attackers pulled off such an audacious hack. Investigations into the SolarWinds breach and the tools and techniques the attackers users are still ongoing. You can expect more reports from Microsoft, Crowdstrike, FireEye and other firms to shed more light on how the attackers operated, which will be useful for defending against future attacks.  More

Illustration set of flags made from binary code targets.
Getty Images/iStockphoto
Cyber-security firm Sophos said it found evidence connecting the operators of the MrbMiner crypto-mining botnet to a small boutique software development company operating from the city of Shiraz, Iran.

The MrbMiner botnet has been operational since the summer of 2020. It was first detailed in a Tencent Security report in September last year.
Tencent said it saw MrbMiner launching brute-force attacks against Microsoft SQL Servers (MSSQL) databases to gain access to weakly secured administrator accounts.
Once inside, the botnet would create a backdoor account with the Default/@fg125kjnhn987 credentials and download and install a cryptocurrency miner from domains such as mrbftp.xyz or mrbfile.xyz.
In a report today, Sophos researchers said they analyzed this botnet’s modus operandi in more depth. They looked at the malware payloads, domain data, and server information and found several clues that led them back to a legitimate Iranian business.
“When we see web domains that belong to a legitimate business implicated in an attack, it’s much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a ‘dead drop’ where they can host the malware payload,” said Sophos researchers Andrew Brandt and Gabor Szappanos.
“But in this case, the domain’s owner is implicated in spreading the malware.”

Sophos said that multiple MbrMiner domains used to host the cryptominer payloads were hosted on the same server used to host vihansoft.ir, the website of a legitimate Iranian-based software development firm.
Furthermore, the vihansoft.ir domain was also used as the command and control (C&C) server for the MbrMiner operation and was also seen hosting malicious payloads that were downloaded and deployed on hacked databases.
One of the reasons the Iranian company did not bother covering its tracks better is because of its location. In recent years, Iranian cybercriminals have become brasher and more careless as they realize that the Iranian government won’t extradite its citizens to western governments.
Notable Iranian-linked cybercrime operations seen in the past have included the likes of the SamSam and Pay2Key ransomware gangs and the Silent Librarian phishing group, just to name the most notable –although there are many other smaller operations [1, 2].
Despite the Sophos report ousting the MrbMiner group today, the botnet is expected to continue to operate with impunity. More