Information Technology

Image: QuinceCreative
The operators of the Ryuk ransomware are believed to have earned more than $150 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.

In a joint report published today, threat intel company Advanced Intelligence and cybersecurity firm HYAS said they tracked payments to 61 Bitcoin addresses previously attributed and linked to Ryuk ransomware attacks.
“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” the two companies said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”
AdvIntel and HYAS say the extorted funds are gathered in holding accounts, passed to money laundering services, and are then either funneled back into the criminal market and used to pay for other criminal services or are cashed out at real cryptocurrency exchanges.
But what the two companies have found odd was that while other ransomware groups typically used lesser-known exchanges to cash out funds, Ryuk converted Bitcoin into real fiat currency using accounts on two very well-established crypto-portals, such as Binance and Huobi, most likely using stolen identities.

Image: AdvIntel
But today’s joint AdvIntel and HYAS report also provides a more up-to-date figure in regards to Ryuk operations.
The last figure we had came from February 2020, when FBI officials spoke at the RSA security conference. At the time, the FBI said that Ryuk was, by far, the most profitable ransomware gang active on the scene, having made more than $61.26 million from ransom payments between February 2018 and October 2019, based on complaints received by the FBI Internet Crime Complaint Center.

Image: FBI

With today’s report and the $150 million figure, it is clear that Ryuk has maintained its spot at the top, at least, for now.
Over the past year, other ransomware gangs, such as REvil, Maze, and Egregor, have also made a name for themselves and have also been very active, infecting hundreds of companies.
However, there haven’t been any reports on the estimated sum these groups have made.
The latest such report came from security firm McAfee in August 2020 when the company published a report estimating that the Netwalker ransomware gang made around $25 million in ransom payments between March and August 2020. More

Data stolen in a cyber-attack against a London council last year has been leaked online by the hackers responsible for the attack.  
Hackney council, which provides services for 280,000 residents in the UK capital, was hit by what was labeled a “serious” cyber-attack last October, taking many IT systems out of operation, with some still disrupted currently.  

It now appears that the information that was stolen during the attack has been published to the dark web by the criminals, although the council said that only a limited set of data was at risk. According to the council’s latest update, the documents have not been leaked to a “widely available forum”, and are not visible through search engines on the Internet.  
The Mayor of Hackney Philip Glanville said: “I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.” 
“While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them.” 
While the majority of sensitive and personal information held by the council appears to be unaffected, Hackney council said that it is working with the National Cyber Security Centre, the National Crime Agency, the Information Commissioner’s Office and the Metropolitan Police to investigate what has been published exactly and assess which actions need to be taken. 
Now several months after the attack happened, the exact nature of the intrusion is still unclear. The council has avoided disclosing details to make sure it does not inadvertently assist the attackers.  

Only legacy and non-cloud-based systems, such as making payments or approving licensing, have been affected, while newer services and systems linked to managing the Covid-19 pandemic have remained up-and-running.  
Although many systems have since been fully or partially restored, the council has already said that it expects some services to remain unavailable or disrupted for the months to come. 
Hackney council’s service status page still indicates that services are “significantly disrupted” due to a “serious cyber-attack”, and recommends that residents and businesses avoid contacting the council unless absolutely necessary. 
For example, the council is currently unable to process applications for most types of licenses, to add to the housing waiting list or for council tax reductions. Disruptions and delays to payment systems remain, as well as to claims for housing benefits. Voting preferences cannot be updated, and residents are currently unable to report noise complaints online. 
Phone lines, however, remain open for essential help and emergency support. 
“It is utterly deplorable that organised criminals chose last year to deliberately attack Hackney, damaging services and stealing from our borough, our staff, and our residents in this way, and all while we were in the middle of responding to a global pandemic,” said Glanville. 
“Now four months on, at the start of a new year and as we are all responding to the second wave, they have decided to compound that attack and now release stolen data. Working with our partners we will do everything we can to help bring them to justice.” 
Last year also saw an attack on Redcar and Cleveland council in North East England, which affected 135,000 people and came at a cost of more than £10 million ($13.5 million).   More

Cobalt Strike and Metasploit, two penetration testing toolkits usually employed by security researchers, have been used to host more than a quarter of all the malware command and control (C&C) servers that have been deployed in 2020, threat intelligence firm Recorded Future said in a report today.

The security firm said it tracked more than 10,000 malware C&C servers last year, across more than 80 malware strains.
The malware operations were the work of both state-sponsored and financially-motivated hacking groups.
These groups deployed malware using various methods. If the malware managed to infect victim devices, it would report back to a command and control server from where it would request new commands or upload stolen information.
Under the hood, these C&C servers can be custom-built for a specific malware family, or they can use well-known technologies, either closed or open-sourced projects.
Across the years, the infosec industry has noted a rising trend in the use of open source security tools as part of malware operations, and especially the increased usage of “offensive security tools,” also known as OST, red-team tools, or penetration testing toolkits.
The most complex of these tools work by simulating an attacker’s actions, including the ability to host a malware C&C in order to test if a company’s defenses can detect web traffic from infected hosts to the “fake” malware C&C server.

But malware operators also quickly realized that they could also adopt these “good guy” tools as their own and then hide real malware traffic inside what companies and security firms might label as a routine “penetration test.”
According to Recorded Future, two of these penetration testing toolkits have now become the top two most widely used technologies for hosting malware C&C servers — namely Cobalt Strike (13.5% of all 2020 malware C&C servers) and Metasploit (with 10.5%).
The first is Cobalt Strike, a closed-source “adversary emulation” toolkit that malware authors cracked and abused for years, spotted on 1,441 servers last year.
The second is Metasploit, an open source penetration testing toolkit developed by security firm Rapid7, which was similarly widely adopted by malware authors due to the fact that it has constantly received updates across the years.
Third on the list of most popular malware C&C servers was PupyRAT, a remote administration trojan. While not a security tool, PupyRAT ranked third because its codebase has been open-sourced on GitHub in 2018, leading to a rise in adoption among cybercrime operations.

Image: Recorded Future
However, besides Cobalt Strike and Metasploit, many other offensive security tools have also been abused by malware operations as well, although to a lesser degree.
Even so, the groups who abused these tools included many state-sponsored hacking groups engaged in cyber-espionage operations, Recorded Future said.

Image: Recorded Future
But the Recorded Future report also looked at other facets of a malware C&C server’s operations. Other observations include:
On average, command and control servers had a lifespan (that is, the amount of time the server hosted the malicious infrastructure) of 54.8 days.
Monitoring only “suspicious” hosting providers can leave blindspots, as 33% of C&C servers were hosted in the US, many on reputable providers.
The hosting providers that had the most command and control servers on their infrastructure were all U.S.-based: Amazon, Digital Ocean, and Choopa.

Image: Recorded Future More

Yesterday’s piece on “What should you do with an old Android smartphone” generated a lot of comments. Because I recommended installing a security app, one of the most popular questions was, predictably, which one?
That’s a tough question.
It’s tough because testing security apps means throwing existing vulnerabilities at it, which doesn’t tell you how well it will handle future vulnerabilities. Another issue is that it’s impossible to gauge what kind of performance hit that the app will have across the myriad of devices out there.
So, this is what I suggest you do.
Must read: Here’s why your iPhone Lightning charging cable only works one way (and how to fix it)
Try more than one.
Before I go any further, let me warn you that there are a lot of fake security apps out there. On top of that, there are ones that do little to nothing. Whether you go with something on this list or something different, I suggest you don’t venture away from the big names, the same names who were making security apps for Windows systems a decade ago.

Venturing too far off the beaten path could very well result in you installing the very same badware on your Android device that you are trying to avoid.
Here’s my list — it’s quite short — of recommended apps. There are three free apps here, and one paid-for app. I’ve run all of them on a variety of devices and been happy with the results. 

Price: Free
Why do I like this: No ads! That’s a rarity when it comes to free security apps. It’s not as flashy or whizz-bang as the other apps, but it has scored amazingly well in the AV-TEST testing and gets the job done.
View Now at Google Play Store

Price: Free
Why do I like this: Another app that got the job done. Again, it does show ads, but I didn’t find them intrusive. It also has features such as “Boost RAM” that you can play with. 
View Now at Google Play Store

Price: $14.99 for the first year
Why do I like this: Gives you great protection from malware with the least impact on system performance (as tested by AV-TEST). My only gripe with is that the VPN came with unlimited data rather than the 200MB/day, which feels low.
View Now at BitDefender
Bonus.
Quite a few people have asked me what VPN I use. It’s the same one I have been using for years, and none of the others I’ve tested has come close to it in terms of awesomeness.

Price: From $34.99 per year for 3 devices
Why do I like this: It’s fast, easy to use, and I’ve put terabytes through it across many countries without any problems at all.
View Now at Google Play Store
Do you have a security app installed on your smartphone? If so, which one? Let me know in the comments down below. More

Hackers are being invited to uncover cybersecurity vulnerabilities in the computer systems used by the US military as part of the ‘Hack the Army’ bug county challenge.
Both military and civilian hackers are being invited to discover and disclose digital vulnerabilities in the US Department of the Army in a program run by The Defense Digital Service (DDS) and HackerOne.

More on privacy

The aim is for cybersecurity researchers to uncover and disclose security vulnerabilities in army systems so they can be resolved before they are discovered and exploited by malicious hackers. Civilian hackers who successfully discover valid security bugs could receive a financial reward.
SEE: Security Awareness and Training policy (TechRepublic Premium)
“Bug bounty programs are a unique and effective force multiplier for safeguarding critical Army networks, systems and data, and build on the efforts of our Army and DoD security professionals,” said Brigadier General Adam C. Volant, U.S. Army Cyber Command Director of Operations.
“By crowdsourcing solutions with the help of the world’s best military and civilian ethical hackers, we complement our existing security measures and provide an additional means to identify and fix vulnerabilities. Hack the Army 3.0 builds upon the successes and lessons of our prior bug bounty programs,” he added.
The bug bounty program is open to both military and civilian participants and runs from January 6, 2021 through February 17, 2021.

Hack the Army 3.0 is the DDS’s eleventh bug bounty progam with HackerOne and the third with the US Army. Previous programs include Hack the Pentagon, Hack the Defense Travel System and Hack the Air Force.
“We are proud of our continued partnership with the Army to challenge the status quo in strengthening the security of military systems and shifting government culture by engaging ethical hackers to address vulnerabilities” said Brett Goldstein, director of the Defense Digital Service. 
SEE: Meet the hackers who earn millions for saving the web, one bug at a time
Participation in the Hack the Army 3.0 bug bounty challenge is open by invitation only to civilian hackers and active US military personel. 
“We’re calling on civilian and military hackers to show us what they’ve got in this bug bounty and to help train the future force,” Goldstein said.
MORE ON CYBERSECURITY More

A former vice president of a company in Georgia has been sent behind bars for sabotaging systems and causing delays in the shipment of Personal Protective Equipment (PPE). 

Christopher Dobbins once worked for Stradis Healthcare, a medical equipment packaging company that facilitates the delivery of PPE, supplies, and surgical kits. After being fired in March 2020, with final paycheck in hand, the 41-year-old accessed a secret, fake staff account he had created while still in Stradis’ employ. 
The ex-employee, described as “disgruntled” by the Federal Bureau of Investigation (FBI), was then able to maintain secret access to the company’s systems, despite his legitimate account being revoked. 
Dobbins set about disrupting Stradis’ electronic records by creating a secondary user account and both editing over 115,000 records and deleting over 2,300 entries. 
The FBI said this week that the intrusion “disrupted the company’s shipping processes, causing delays in the delivery of much-needed PPEs to healthcare providers” who are trying to cope with the COVID-19 pandemic. 
Dobbins’ actions did not just cause the company’s operations to grind to a screeching halt in March; issues continued for months after as Stradis sought to repair the damage. 
Swift action was taken to isolate and stop the former employee’s activities, and law enforcement — the FBI Atlanta Cyber Task Force — was called in. Dobbins was then arrested and pleaded guilty to multiple computer intrusion charges in July. 

He will now serve a year and a day behind bars and has been ordered to pay restitution to the tune of $221,200. 
“During the height of a world-wide pandemic this defendant disrupted the distribution of critical medical supplies to health care workers on the front lines of the battle,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “This swift and efficient result sends a message that anyone who puts the lives of American citizens at risk will be pursued and punished for their egregious behavior.”
Stradis previously announced that the company was “happy to assist” the FBI in the arrest of Dobbins. 
“Of course we are disappointed about a former employee who caused the company immeasurable internal harm and caused some temporary delays in our shipping system but our focus is completely consumed in working 24/7 to serve the medical community and the public during this critical time,” commented Stradis CEO Jeff Jacobs. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A North Korean hacking group is utilizing the RokRat Trojan in a fresh wave of campaigns against the South Korean government.

The Remote Access Trojan (RAT) has been connected to attacks based on the exploit of a Korean language word processor commonly used in South Korea for several years; specifically, the compromise of Hangul Office documents (.HWP). 
In the past, the malware has been used in phishing campaigns that lure victims through emails containing attachments with a political theme — such as Korean unification and North Korean human rights. 
RokRat is believed to be the handiwork of APT37, also known as ScarCruft, Reaper, and Group123. Active since 2012, at the least, the advanced persistent threat group (APT) is likely state-sponsored, and potentially tasked with targeting entities of value to the North Korean ruling party. 
According to Malwarebytes security researcher Hossein Jazi, while previous campaigns have focused on exploiting .HWP files, a new phishing document sample attributable to APT37 reveals a pivot in tactics for the group. 
In a blog post this week, the cybersecurity company described the discovery of a new malicious document uploaded to Virus Total on December 7. The sample file claims to be a request for a meeting dated in early 2020, suggesting that attacks have taken place over the past year. 
Malwarebytes says that the content of the file also indicates that it has been “used to target the government of South Korea.”

The document does not follow the traditional .HWP path of APT37; instead, an embedded macro uses a VBA self decoding technique to decode itself into the memory of Microsoft Office. This means that the malware does not have to write itself to disk, potentially in a bid to avoid detection. 
Once Microsoft Office has been compromised, an unpacker stub then embeds a variant of RokRat into Notepad software. According to Malwarebytes, this technique allows the bypass of “several security mechanisms” with little effort. 
“To the best of our knowledge, this is a first for this APT group,” Jazi says. 
In order to circumvent Microsoft security, which prevents the macro’s dynamic execution, the attackers first need to bypass the VB object model (VBOM) by modifying registry values. 
The malicious macro will check to see if VBOM can be accessed and will attempt to set the VBOM registry key to one if it needs to be bypassed. Depending on the results of the check, such as if the VBOM setup has already been bypassed, the macro content may also be obfuscated, deobfuscated, and then executed into memory.
The main function of the payload is to create a module utilizing shellcode to compromise Notepad before calling an encrypted file hosted on Google Drive that contains RokRat.
Once deployed on a vulnerable machine, RokRat will focus on harvesting data from the system before sending it to attacker-controlled accounts with cloud-based services including Pcloud, Dropbox, Box, and Yandex. The malware is able to steal files, take screenshots, capture credentials, and tamper with file directories. 
RokRat is a malware variant that will also attempt to maintain stealth by checking for sandboxes and for the presence of VMWare, scan for debugging software, and analyzes DLLs related to Microsoft and iDefense. 
In related news this week, Trustwave researchers recently discovered a new phishing campaign that deploys QRat to Windows machines. First discovered in 2015, the Trojan features heavy levels of obfuscation and remote access capabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The New York Stock Exchange (NYSE) has once again changed its mind over whether to delist a trio of Chinese telcos.
NYSE said it would continue with its original plan to delist China Telecom, China Mobile, and China Unicom Hong Kong on January 11.
“On January 5, 2021, the Department of Treasury’s Office of Foreign Asset Control provided additional, specific guidance to the NYSE stating that US persons cannot engage in certain transactions … after 9:30am eastern standard time on January 11, 2021,” the NYSE said.
“Accordingly, NYSE Regulation has announced that it will move forward with delisting.”
Only two days ago, the exchange said it was reversing the decision taken on New Year’s Eve.
The delisting action was taken to comply with a 12 November 2020 executive order from outgoing US president Donald Trump.
In the executive order, Trump said the People’s Republic of China (PRC) was “exploiting United States capital” to boost and update its military, which he claimed would allow Beijing to threaten the US and its overseas forces, as well as develop “advanced conventional weapons and malicious cyber-enabled actions against the United States and its people”.

“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.
“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also said the PRC “exploits United States investors” to finance its military.
China Securities Regulatory Commission returned fire after the original ban was announced, and said the ban was politically motivated and ignored the rights of investors while severely damaging the market.
It added that the size of the listings on American markets was under 2.2% of the total shares on offer, so the direct impact of the delisting was “rather limited”.
“The role of the US as an international financial centre, is built on the trust of the global enterprises and investors in the inclusiveness and certainty of its rules and institutions,” the Commission said.
“The recent move by some political forces in the US to continuously and groundlessly suppress foreign companies listed on the US markets, even at the cost of undermining its own position in the global capital markets, has demonstrated that US rules and institutions can become arbitrary, reckless, and unpredictable. It is certainly not a wise move.”
Yesterday, Trump signed an executive order to ban eight Chinese apps — Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office — citing national security concerns.
“Action must be taken to address the threat posed by these Chinese connected software applications,” Trump said.
Related Coverage More