Information Technology

IT security teams need training and testing to be effective.
Getty Images/iStockphoto
RangeForce has raised $16 million from investors that included Cisco Systems, for its virtual reality cyber-security training platform derived from NATO cyber defense technologies that can emulate multiple security systems. The platform simulates attacks in real-time and teaches teams about older-but-still-effective attacks along with newer exploits.

The Series A funding will be used to expand a salesforce targeting the enterprise IT sector. Businesses are under tremendous pressure to limit computer breaches because of new laws in Europe and the US, especially California. But there remains a constant shortage of computer security professionals with the right experience to counter modern exploits.
“Companies can ensure that their security teams have the skills they need and have the experience, via our real-life simulation attacks, to know what to do and how to work together,” said Gordon Lawson, president and CRO of RangeForce. “There are some great security tools but they are not much use if the team doesn’t know how to use them. And there are well-known attacks that an experienced team would know how to respond.”
Lawson said that there are many known vulnerabilities such as SQL injection that continue to plague users and remain unpatched. Vendors often suffer from internal politics and pushback in efforts to fix troubled software. 
RangeForce has created hundreds of what it calls real-world training modules, which simulate an actual security incident modeled around the tools and apps used by the business. There are many vendor-specific training modules such as for Splunk, Carbon Black, and Recorded Future. Cisco uses the platform to train its salespeople on its security tools.

RangeForce has been growing very quickly and reported a 2,700% year over year increase in annual revenues. 
“The evolving threat landscape continues to highlight one of the greatest challenges facing the global security industry today: the workforce-skills gap,” said Bret Hartman, vice president and CTO of Cisco’s Security Business Group.
In addition to Cisco, Energy Impact Partners and Paladin Capital Group joined the Series A funding. 
Lawson said that the funding was raised during the COVID-19 lockdown. Investors appreciated the increased pressure on enterprise security teams from the lockdown. IT departments must now protect a corporate workforce that is distributed across the office to home — increasing the opportunities for hackers. 
A recent report from SonicWall found that COVID-19 has created a “boon” for criminals. Common office document types such as Microsoft Office have become heavily used vectors by criminals hoping staff working from home will be distracted and click on the wrong links.  More

Antivirus maker Kaspersky said in a report today that hackers associated with the North Korean regime are behind a new ransomware strain known as VHD.
The report details two incidents to which Kaspersky was privy, where intruders gained access to companies’ networks and deployed the VHD ransomware.
Kaspersky experts say that tools and techniques used during the two intrusions link the attackers to Lazarus Group — a generic name given to hackers working for the Pyongyang regime.
This included:
the use of the MATA (Dacls) malware framework to deploy VHD as a final payload
the use of techniques to move across a victim’s internal network that were previously observed in past Lazarus campaigns
“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” Kaspersky researchers said today.
Fits in the bigger picture

What Kaspersky has discovered here fits in the bigger picture of the North Korean hacking landscape.
Based on numerous previous reports published over the past four years, North Korean hackers are usually divided into two categories — (1) those who engage in cyber-espionage for intelligence purposes, and (2) those who engage in financial crime to raise funds for the Pyongyang government (which funds the US Treasury believes are used to support the country’s weapons and missile programs).
The VHD attacks are, without a doubt, the work of the second group, which seeks to extort money from hacked organizations.
Some of this group’s other money-raising activities included hacking banks, stealing funds from cryptocurrency exchanges, orchestrating ATM cashouts, running crypto-mining botnets, and even engaging in web skimming (Magecart) attacks to steal payment card data and resell it on carding forums.
Other activities also include Lazarus hackers breaking into company networks, stealing data, and then asking victims for a ransom not to publish their data online.
Seeing North Korean hackers engage in ransomware attacks is not surprising, since ransomware attacks are some of today’s most profitable cybercrime operations.
It is the hackers’ first foray into the scene. Western intelligence agencies have accused North Korea of creating and losing control of the WannaCry ransomware that spread virulently across the globe in May 2017.
The difference between VHD and WannaCry is that VHD is better coded and that Lazarus operators appear to only deploy it sparingly, on the networks of high-profile companies from where they can demand huge ransoms to decrypt data — in a tactic that’s known today as “big game hunting.” More

While Linux malware was once sitting on the fringes of the malware ecosystem, today, new Linux threats are being discovered on a weekly basis.
The latest finding comes from Intezer Labs. In a report shared with ZDNet this week, the company analyzed Doki, a new backdoor trojan they spotted part of the arsenal of an old threat actor known for targeting web servers for crypto-mining purposes.
The threat actor, known as Ngrok because of its initial penchant for using the Ngrok service for hosting control and command (C&C) servers, has been active since at least late 2018.
Intezer Labs researchers say that in recent attacks carried out by the Ngrok group this year, the hackers have targeted Docker installations where the management API has been left exposed online.
The hackers abused the Docker API to deploy new servers inside a company’s cloud infrastructure. The servers, running a version of Alpine Linux, were then infected with crypto-mining malware, but also Doki.

Image: Intezer
How Doki uses Dogecoin API

Researchers said Doki’s purpose was to allow hackers control over their newly-deployed Alpine Linux servers to make sure the crypto-mining operations were running as intended.
However, while its purpose and use might look banale, under the hood, Intezer says Doki is different from other similar backdoor trojans.
The most obvious detail was how Doki determined the URL of the C&C server it needed to connect for new instructions.
While some malware strains connect to raw IP addresses or hardcoded URLs included in their source code, Doki used a dynamic algorithm — known as a DGA (domain generation algorithm) — to determine the C&C address using the Dogecoin API.
The process, as reverse-engineered by Intezer researchers, is detailed below:
Query dogechain.info API, a Dogecoin cryptocurrency block explorer, for the valuet hat was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address}
Perform SHA256 on the value returned under “sent”
Save the first 12 characters from the hex-string representation of the SHA256 value,to be used as the subdomain.
Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net
What all the steps above mean is that the Doki creators, the Ngrok gang, can change the server where Doki gets its commands by making one single transaction from within a Dogecoin wallet they control.
If DynDNS (ddns.net) receives an abuse report about the current Doki C&C URL and takes it down, the Ngrok gang only has to make a new transaction, determine the subdomain value, and set up a new DynDNS account and grab the subdomain.
This mechanism, clever as it is, is also an effective way of preventing law enforcement from taking down the Doki backend infrastructure, as they’d need to take control over the Ngrok gang’s Dogecoin wallet, something that would be impossible without the wallet’s cryptographic key.
Intezer says that based on samples submitted to the VirusTotal web scanner, Doki appears to have been around since January this year. However, Intezer also points out that despite being around for more than six months, the malware has remained undetected on most of today’s VirusTotal Linux scanning engines.
Increase in attacks targeting Docker instances
Furthermore, while the Doki malware C&C mechanism is something clever and novel, the real threat here is the constant attacks on Docker servers.
Over the last several months, Docker servers have been increasingly targeted by malware operators, and especially by crypto-mining gangs.
Just over the last month, cyber-security firms have detailed several different crypto-mining campaigns that targeted misconfigured Docker APIs to deploy new Linux servers where they run crypto-mining malware to make a profit using the victim’s infrastructure.
This includes reports from Palo Alto Networks, and two reports from Aqua [1, 2]. Furthermore, cyber-security firm Trend Micro also reported on a series of attacks where hackers targeted Docker servers to install DDoS malware, a rare case where hackers haven’t opted for a crypto-mining payload.
All in all, the conclusion here is that companies running Docker as their virtualization software in the cloud need to make sure the management interface’s API is not exposed to the internet — a small misconfiguration that allows third-parties to control their Docker install.
In its report, Intezer specifically mentions this issue, warning that the Ngrok gang was so aggressive and persistent in their scanning and attacks that it usually deployed its malware within hours after a Docker server became exposed online. More

The National Cyber Security Centre (NCSC) – the cybersecurity arm of the UK’s GCHQ intelligence service – has announced that Lindy Cameron will take over as its new CEO.
Cameron’s role as CEO of the NCSC will include overseeing the response to hundreds of cybersecurity incidents, as well as boosting the resilience of the UK’s critical national infrastructure to hacking and cyberattacks. She’ll be responsible for identifying risks of emerging technologies and continuing the NCSC’s response to coronavirus – and the ways hackers have tried to exploit it.

More on privacy

Cameron joins the NCSC from the Northern Ireland Office, where she currently serves as director general. Previously, she was director general for the Department for International Development’s programmes in Africa, Asia and the Middle East, overseeing a budget of £4bn and offices in over thirty countries.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
She also has experience across government, both at home and overseas, including posts in conflict zones such as Iraq and Afghanistan. 

“Over the past four years, the NCSC has transformed the UK’s approach to cybersecurity and set a benchmark for other countries to follow. I am delighted to join the NCSC and relish the opportunity to take this world-leading organisation to the next level,” said Cameron.
She’ll formally start the role in October, taking over the position from Ciaran Martin, who was appointed GCHQ board member for cybersecurity in 2013 and oversaw the set up of the NCSC in 2016. He’ll remain CEO until 31 August and aid with a handover period through to October.
Martin is set to join the University of Oxford as professor of practice in public management, based at the Blavatnik School of Government.
MORE ON CYBERSECURITY More

Employers are increasingly using AI-based psychological profiling as part of their hiring processes. That’s a labour rights issue, and it should worry us. More

The hitting of Fortune 500 companies with malware is starting to ring alarm bells. More

Image: Peter Kruse
Cyber-security agencies from the UK and the US have published today a joint security alert about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP.
In alerts [1, 2] by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), the two agencies say that attacks with the QSnatch malware have been traced back to 2014, but attacks intensified over the last year when the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in mid-June 2020.
Of these, CISA and the NSCS say that approximately 7,600 of the infected devices are located in the US, and around 3,900 in the UK.

Image: CISA, NCSC
“The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019,” the two agencies say.
QSnatch malware has exfiltration capabilities
CISA and the NCSC say that the two campaigns used different versions of the QSnatch malware (also tracked under the name of Derek).

The joint alert focuses on the latest version, used in the most recent campaign. According to the joint alert, this new QSnatch version comes with an enhanced and broad set of features that includes functionality for modules such as:
CGI password logger – This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
Credential scraper
SSH backdoor – This allows the cyber actor to execute arbitrary code on a device.
Exfiltration – When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
Webshell functionality for remote access
However, while CISA and the NCSC experts managed to analyze the current version of the QSnatch malware, they say that one mystery has still alluded them — namely how the malware initially infects devices.
Attackers could be exploiting vulnerabilities in the QNAP firmware or they could be using default passwords for the admin account — however, none of this could be verified beyond a doubt.
But once the attackers gain a foothold, CISA and the NCSC say the QSnatch malware is injected into the firmware, from where it takes full control of the device and then blocks future updates to the firmware to survive on the victim NAS.
CISA and NCSC urge companies to patch QNAP NAS devices
The joint alert says that the QSnatch group’s server infrastructure that was used in the second series of attacks is now down, but that QSnatch infections still remain active around the internet, on infected devices.
The two agencies are now urging companies and home users who use QNAP devices to follow remediation and mitigation steps listed in the Taiwanese vendor’s support page to get rid of QSnatch and prevent future infections.
Failing to remove the malware equates to allowing hackers a backdoor into company networks and direct access to NAS devices, many of which are used to store backups or sensitive files. More

Garmin has started to bring its Garmin Connect software back online after a ransomware attack shelved the system since late Wednesday, July 22. The company also said that customer data hasn’t been impacted and that its cyberattack occurred July 23. 

In a statement Monday, July 27, Garmin said: “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.” Garmin did say that its systems were encrypted, which indicates a ransomware attack. 
As of Monday morning, Garmin said that Garmin Connect has returned with limited functionality. Simply put, Garmin has had a rough week. Here’s the timeline:
Specifically, Garmin Connect can now display activity details and uploads, register devices, show the dashboard, and produce reports and segments. The company noted on its status page:

We are happy to report that Garmin Connect recovery is underway. We’d like to thank you for your understanding and patience as we restore normal operations.  

Garmin has also starting sketching out its FAQ. Regarding customer data, Garmin said:

Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation.
We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days.

Limited functionality remains for daily summaries, courses, Garmin Coach, third party sync, and Strava. On Strava, Strava Beacon integration is working, but segments, routes, and uploaded activities are being queued to sync.
Garmin also said Garmin Golf and Garmin Dive are online with LiveTrack. Vivofit Jr. is limited with delayed stats.
There are still a few unknowns about the Garmin incident and the FAQ provided doesn’t add much detail about the attack or processes to prevent another one in the future. With any luck, Garmin will have a detailed post mortem at a later date. Garmin reports earnings on Wednesday.  More