Information Technology

Over 50 Australian MPs have joined a new parliamentary group that aims to hold technology giants accountable for the information they allow on their platforms.
The Parliamentary Friends of Making Social Media Safe group is explained as providing a non-partisan forum for MPs to meet and highlight the environment of social media and the risks associated.
The group will also consider how platforms can be held accountable for the material published on their sites, and what policy measures can be considered by governments to keep social media platforms safe.
One member of the group is Science Minister Karen Andrews, who called it an avenue for “starting the conversation”. Speaking on 3AW on Tuesday morning, Andrews said one of the first items on the group’s agenda is to look at what the issues are, and how best to prosecute that.
See also: Labor floats jail time as penalty for social media giants that breach Aussie law
Pointing to the permanent suspension of soon-to-be former United States President Donald Trump from Twitter, Andrews said there was a “whole range of questions” stemming from the ban, such as the consistency and fairness of various rules across social media sites.
“There have been many instances of comments that have been taken down from various platforms, but yet in some instances, these platforms are very quick to act when it seems as if the subject content is something that they don’t personally agree with,” she said. “That is unfair, it is inconsistent, and it lacks the transparency that we are looking for.”

The minister was asked if she believes there were double standards, given the amount of “disgusting” content still proliferating on social media sites, despite Trump’s ban.
“That is the absolute lack of transparency and the subjectivity that I am most concerned about. There needs to be fairness, it needs to be very clear that these rules are being applied in a consistent manner. And it’s pretty obvious that at the moment they’re not,” Andrews said in response.
Former Opposition Leader Bill Shorten, meanwhile, said for all its blessings, the internet also has an underbelly, likening it to a “sewer”.
“The internet has proven to be a magnet to draw together idiots and conspiracists who otherwise would never meet each other,” he said Tuesday morning.
“I mean, it may be the one favour Donald Trump’s done the world is getting himself banned on Twitter, because if Twitter can do it to him, then maybe some of the inflammatory comments that get said about our kids or about people in daily life, maybe we can just — you know, you’re free to speak, but you’ve got to face the consequences of it.”
Also a member of the group is Shadow Assistant Minister for Treasury Andrew Leigh, who echoed remarks made by ALP’s acting communications spokesperson Tim Watts, saying the social media companies have self-regulatory policies which are “pretty much” in accord with Australia’s democratic norms.
“You don’t incite violence, you don’t spread hate speech, you don’t spread dangerous medical misinformation,” he said.
“But it is appropriate that over time we also look at the way in which these platforms have chosen to make their decisions of banning particular people.”
Leigh said in Trump’s case, he unequivocally thinks Twitter made the right call.
“If you’re inciting violence, you shouldn’t be on one of these platforms,” he said.
The shadow minister pointed to remarks made by two Coalition MPs he said were spreading dangerous misinformation during a pandemic. One of the MPs, Michael McCormack, who is currently acting prime minister while Scott Morrison takes leave, was called on by Leigh to “stand up for sensible science”.
McCormack said he supported free speech and did not believe in the type of censorship demonstrated in the United States. The acting prime minister on Monday compared the 2020 Black Lives Matter protests to the riot on the Capitol, with the ABC quoting him as saying “any form of violence” should be condemned.  
McCormack on Tuesday also declared “all lives matter” during a press conference. He also said most of what his colleagues have said is true and that people on Twitter need to “toughen up”. 
The parliamentary group was stood up by Labor MP Sharon Clayton and Nationals MP Anne Webster.
Webster’s family was last year awarded an AU$875,000 defamation payout from a woman who used Facebook to make “disgraceful and inexplicable” posts about the Victorian MP.
RELATED COVERAGE More

Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.
Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware was actually the first one used.
Sunspot malware ran on SolarWinds’ build server
In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first breached SolarWinds’ internal network.
The Sunspot malware was installed on SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds’ top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.
Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
Timeline of the SolarWinds supply chain attack

These trojanized Orion clients eventually made their way one SolarWinds’ official update servers and were installed on the networks of the company’s many customers.
Once this happened, the Sunburst malware would activate inside internal networks of companies and government agencies, where it would collect data on its victims and then send the information back to the SolarWinds hackers (see this Symantec report about how data was sent back via DNS request).
Threat actors would then decide if a victim was important enough to compromise and would deploy the more powerful Teardrop backdoor trojan on these systems while, at the same time, instruct Sunburst to delete itself from networks it deemed insignificant or too high risk.
However, the revelation that a third malware strain was discovered in the SolarWinds attack is one of the three major updates that came to light today about this incident.
In a separate announcement published on its blog, SolarWinds also published a timeline of the hack. The Texas-based software provider said that before the Sunburst malware was deployed to customers between March and June 2020, hackers also executed a test run between September and November 2019.
“The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators’ ability to insert code into our builds,” SolarWinds CEO Sudhakar Ramakrishna said today, in an assessment also echoed by the CrowdStrike report.

Image: SolarWinds
Code overlap with Turla malware
On top of this, security firm Kaspersky also published its own findings earlier in the day in a separate report.
Kaspersky, which was not part of the formal investigation of the SolarWinds attack but still analyzed the malware, said that it looked into the Sunburst malware source code and found code overlaps between Sunburst and Kazuar, a strain of malware linked to the Turla group, Russia’s most sophisticated state-sponsored cyber-espionage outfit.
Kaspersky was very careful in its language today to point out that it found only “code overlaps” but not necessarily that it believes that the Turla group orchestrated the SolarWinds attack.
The security firm claimed this code overlap could be the result of the SolarWinds hackers using the same coding ideas, buying malware from the same coder, coders moving across different threat actors, or could simply be a false flag operation meant to lead security firms on the wrong path.

Through further analysis, it is possible that evidence enforcing one or several of these points might arise. To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.
— Costin Raiu (@craiu) January 11, 2021

But while security firms have stayed away from attirbution, last week, US government officials formally blamed the SolarWinds hack on Russia, describing the hackers as “likely Russian in origin.”
The US government’s statement did not pin the hack on a specific group. Some news outlets pinned the attack on a group known as APT29 (or Cozy Bear), but all the security firms and security researchers involved in the hack have pleaded for caution and have been very timid about formally attributing the hack to a specific group so early in the investigation.
Right now, the SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity), and StellarParticle (CrowdStrike), but this designation is expected to change once companies learn more.
Right now, one last mystery remains, and that is how did the SolarWinds hackers manage to breach the company’s network in the first place, and install the Sunspot malware. Was it an unpatched VPN, an email spear-phishing attack, a server that was left exposed online with a guessable password?

SolarWinds Updates More

The Reserve Bank of New Zealand — Te Pūtea Matua — on Monday said it was still responding “with urgency” to an illegal breach of one of its systems.
The breach was of a third-party file sharing service provided by California-based Accellion. The bank uses its FTA file transfer product to share information with external stakeholders.
While the system has been secured and taken offline, and the breach described as contained, the Reserve Bank said it would take some time to determine the impact, with an analysis of the potentially affected information underway.
The bank is still looking to confirm the nature and extent of information that has been potentially accessed. It said compromised data may include some commercially and personally sensitive information.
The bank said it is communicating with system users about alternative ways to securely share data.
“We are actively working with domestic and international cybersecurity experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” Governor Adrian Orr said.
“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.”

Orr said providing further details could adversely affect the investigation and the steps being taken to mitigate the breach.
“We recognise the public interest in this incident however we are not in a position to provide further details at this time,” he said.
The Reserve Bank disclosed the breach on Sunday.
Across the ditch in Australia, it was reported last week that private details of every Tasmanian who has called an ambulance since November last year were published online by a third party. The ABC said the list, appearing as Ambulance Tasmania’s paging system — which has since been taken offline — was still updating each time paramedics are dispatched.
The data included the addresses of patients, their condition, HIV status, age, and gender. 
Reports indicate a police investigation and an internal review by the Tasmanian Department of Health are underway.
MORE FROM NEW ZEALAND More

Image: Ubiquiti Networks
Networking equipment and IoT device vendor Ubiquiti Networks has sent out today notification emails to its customers informing them of a recent security breach.

“We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” Ubiquiti said in emails today.
The servers stored information pertaining to user profiles for account.ui.com, a web portal that Ubiquiti makes available to customers who bought one of its products.
The site is used to manage devices from a remote location and as a help and support portal.
According to Ubiquiti, the intruder accessed servers that stored data on UI.com users, such as names, email addresses, and salted and hashed passwords.
Home addresses and phone numbers may have also been exposed, but only if users decided to configure this information into the portal.
How many Ubiquiti users are impacted and how the data breach occurred remains a mystery.

It is currently unclear if the “unauthorized access” took place when a security researcher found the exposed data or was due to a malicious threat actor.
A Ubiquiti spokesperson did not immediately return a request for comment send before this article’s publication.
Despite the bad news to its customers, Ubiquiti said that it had not seen any unauthorized access to customer accounts as a result of this incident.
The company is now asking all users who receive the email to change their account passwords and turn on two-factor authentication.
While initially, some users looked at the emails as a phishing attempt, a Ubiquiti tech support staffer confirmed that they were authentic on the company’s forums.
A full copy of the email is available below, as shared today on social media.

Image: Dangal Son More

Intel Server GPU
Image: Intel
At the 2021 Consumer Electronics Show today, Intel announced it is adding ransomware detection capabilities to its new 11th Gen Core vPro processors through improvements to its Hardware Shield and Threat Detection Technology (TDT).

A partnership with Boston-based Cybereason was also announced, with the security firm expected to add support for these new features to its security software in the first half of 2021.
Both companies said that this would mark the first-ever case where “PC hardware plays a direct role” in detecting ransomware attacks.
How it will all work
Under the hood, all of this is possible via two Intel features, namely Hardware Shield and Intel Threat Detection Technology (TDT). Both are features part of of Intel vPro, a collection of enterprise-centered technologies that intel ships with some of its processors.
Hardware Shield, a technology that locks down the UEFI/BIOS and TDT, a technology that uses CPU telemetry to detect possibly malicious code.
Both of these technologies work on the CPU directly, many layers under software-based threats, such as malware, but also antivirus solutions. The idea behind Intel’s new features is to share some of its data with security software and allow it to spot malware that may be hiding in places where antivirus apps can’t reach.
“Intel TDT uses a combination of CPU telemetry and ML heuristics to detect attack-behavior,” Intel said in a press release today. “It detects ransomware and other threats that leave a footprint on Intel CPU performance monitoring unit (PMU).”

“The Intel PMU sits beneath applications, the OS, and virtualization layers on the system and delivers a more accurate representation of active threats, system-wide,” it added. “As threats are detected in real-time, Intel TDT sends a high-fidelity signal that can trigger remediation workflows in the security vendor’s code.”
According to Intel and Cybereason, this new technology should allow companies to detect ransomware attacks when ransomware strains try to avoid detection by hiding inside virtual machines, since Hardware Shield and TDT run many layers below it.

Image: Intel
Available with 11th Gen Core vPro processors
“Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats,” said Stephanie Hallford, Client Computing Group Vice President and General Manager of Business Client Platforms at Intel.
“Our new 11th Gen Core vPro mobile platform provides the industry’s first silicon enabled threat detection capability, delivering the much needed hardware based protection against these types of attacks,” the Intel exec added.
“Together with Cybereason’s multi-layered protection , businesses will have full-stack visibility from CPU telemetry to help prevent ransomware from evading traditional signature-based defenses.”
To use the new feature, systems administrators only have to use security software that supports it. No changes are required to CPUs because while most vPro features are optional, Intel has recently made Hardware Shield mandatory for all new CPUs starting with its 10th Gen release.
While Cybereason will be the first to support detecting ransomware using hardware indicators, other security vendors will most likely tap into it in the feature.
Today’s news comes after Intel has been investing heavily in security in recent years. In June 2020, Intel also announced it was adding its new Control-flow Enforcement Technology (CET) to CPUs, a feature it said could help protect systems against malware that uses Return Oriented Programming (ROP), Jump Oriented Programming (JOP), and Call Oriented Programming (COP) techniques to infect devices and hijack apps. More

Accenture announced it has acquired Real Protect, a Brazilian provider of managed cybersecurity and security services (MSS) for an undisclosed sum.
The Rio de Janeiro-headquartered firm’s threat monitoring and the ability to detect and respond to incidents are expected to complement Accenture’s offerings in information security.
Daniel Lemos, chief executive at Real Protect, will lead Accenture’s Managed Security Services practice in Latin America.

“We are going to extend [Accenture’s] MSS capabilities, bringing the success we have had to date to add even more value to customers”, said Lemos.
According to research from Accenture, Brazil is a cybercrime epicenter and the firm estimates that security threats could cost companies around the world more than US$100 billion in revenue losses by 2023.
Real Protect was the first company in Latin America to receive the international certification standard from association and certification body for professionals in cloud computing and managed services MSP Alliance.
Real Protect’s approximately 90 cybersecurity professionals provide services to companies in the healthcare, energy, financial services, oil and gas sectors. The team will join the team of 7,000 Accenture Security professionals worldwide.

The acquisition of Real Protect follows Accenture’s buyout of Brazilian technology firm Organize Cloud Labs in August 2020 as part of a move to strengthen its cloud growth strategy. More

Image: ZDNet
Microsoft has released a new version of the Sysinternals package and updated the Sysmon utility with the ability to detect Process Herpaderping and Process Hollowing attacks.

Sysinternals is a collection of apps designed to help system administrators debug Windows computers or help security researchers track down and investigate malware attacks.
The Sysinternals package comes with more than 160 different apps, each useful for a particular task.
One of the most widely used Sysinternal apps is called Sysmon, or System Monitor, which works by logging system-level events (process creations, network connections, and changes to file creation time) to the default Windows event log.
Across the years, the tool has become a must-have for all security researchers, either if they’re involved in defending networks or performing digital forensics and incident response (DFIR) operations. This is because Sysmon allows them to record in-depth logs and then trace the roots of malicious attacks to specific processes and apps.
With today’s release of Sysmon 13.00, Microsoft says that the Sysmon app can now detect and log when malware tampers with a legitimate process.
When this happens, the Sysmon utility will create an alert in the Windows event log with the “EventID 25” identifier. System administrators and security researchers can then scan for this ID and detect what process a malware attack tried to modify.

Image: Olaf Hartong

Microsoft says that under the hood, the new Sysmon EventID 25 triggers “when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access.”
Both of these types of behaviors are usually the indicators of two attacks, one known as Process Herpaderping and the other known as Process Hollowing.
Process Herpaderping is a relatively new technique that was first detailed last year and which describes a method that malware can use to hide the intentions of a process by modifying its content on disk after the image has been mapped, allowing it to pass malicious code in apps that security software designates as safe.
Process Hollowing is an older technique that works the same, but during which malware suspends a legitimate application’s process, “hollows” its content, and then injects its own malicious code to be executed from the trusted service.
While other tools in the Sysinternals package have been used in previous years to detect process hollowing attacks, this marks the first time that support has been added for detecting the newer Process Herpaderping technique, which many security researchers expect to see being used in the wild in the coming years.
Previews of both Sysmon EventID 25 warnings are available below from Mark Russinovich, one of the Sysinternals co-creators, who previewed them last year on Twitter. A deep dive into the new Sysmon 13.00 release and its support for detecting Process Herpaderping and Process Hollowing attacks is available here, from security researcher Olaf Hartong. More

Image: Maria Ten
Cybersecurity firm Bitdefender has released today a free tool that can help victims of the Darkside ransomware recover their encrypted files for free, without paying the ransom demand.
The tool, available for download from the Bitdefender site, along with usage instructions, gives hope to companies that had important files locked and ransomed by one of today’s most sophisticated ransomware operations.
Background into the Darkside group
Active since the summer of 2020, the Darkside group launched and still operates today through ads posted on cybercrime forums.

Image Digital Shadows
The group uses a well-established Ransomware-as-a-Service (RaaS) model to partner with other cybercrime groups.
These groups would apply for the Darkside RaaS and receive a fully functional version of the Darkside ransomware. They would then breach companies using their own chosen methods, install the ransomware, and ask for huge payouts, usually in the realm of hundreds of thousands or millions of US dollars.
This modus operandi isn’t new, and it’s called “big-game hunting” because ransomware gangs usually tend to go after companies, instead of home users, in the hopes of increasing their profits.
In situations where victims didn’t want to pay, Darkside operators leak documents they stole from the victim’s network on a dedicated “leak site,” as a form of punishment and forwarning to other victims who may want to restore from backups instead of paying the crooks.

Image: ZDNet

While the Darkside hasn’t posted the names and data of any new victims on its leak site since before the winter holiday last year, the group is still believed to be active at the time of writing.
According to security researcher MalwareHunter, the most recent activity from the group is an update to its leak site last week during which the Darkside operators added a new section dedicated to journalists, where reporters could register and get in contact with the Darkside gang directly.

DarkSide ransomware’s leak website now has a “Press Center” where press people can register.Also “recovery companies” can register and then they will get more and more discounts after each clients they “helped”…Great news, right?😂@demonslay335 @VK_Intel pic.twitter.com/0wuGkbFGHK
— MalwareHunterTeam (@malwrhunterteam) January 8, 2021

While most Darkside victims have already either paid the ransom demand already or restored from backup months ago, the Darkside decrypter isn’t entirely useless, but far from it.
Will the decrypter lead to a Darkside shutdown?
First and foremost, the tool helps companies recover important files that were encrypted months before and which they weren’t able to restore but still have around, saved on backup drives.
Second, the tool also incurs operational costs to the Darkside gang, which will now have to re-do all its file encryption code to prevent free decryptions.
Third, the tool also deals a major reputational blow to the Darkside RaaS. Many ransomware operations have shut down in the past after the release of a free decrypter, as most of their customers abandoned them for newer and non-decryptable competitors.
As for the victims themselves, the good news is that the free decrypter released today by Bitdefender should, in theory, work for all recent versions of the Darkside ransomware, regardless of the file extension that crooks added at the end of each encrypted file.
This extension is unique per victim, as it’s computed from local characteristics, but that shouldn’t be a problem, Bitdefender said. More