Information Technology

A highly sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying content management system (CMS) platforms.

Named KashmirBlack, the botnet started operating in November 2019.
Security researchers from Imperva —who analyzed the botnet last week in a two-part series— said the botnet’s primary purpose appears to be to infect websites and then use their servers for cryptocurrency mining, redirecting a site’s legitimate traffic to spam pages, and to a lesser degree, showing web defacements.
Imperva said the botnet started out small, but after months of constant growth, it has evolved into a sophisticated behemoth capable of attacking thousands of sites per day.
The biggest changes occurred in May this year when the botnet increased both its command-and-control (C&C) infrastructure, but also its exploit arsenal.
Nowadays, KashmirBlack is “managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure,” Imperva said.
“[The botnet] handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”

Image: Imperva
KashmirBlack expands by scanning the internet for sites using outdated software and then using exploits for known vulnerabilities to infect the site and its underlying server.
Some of the hacked servers are then used for spam or crypto-mining, but also to attack other sites and keep the botnet alive.
Since November 2019, Imperva says it has seen the botnet abuse 16 vulnerabilities:
The exploits listed above allowed KashmirBlack operators to attack sites running CMS platforms like WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager.
Some exploits attacked the CMS itself, while others attacked some of their inner components and libraries.
“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva researchers said on Friday.
Based on multiple clues it found, Imperva researchers said they believed the botnet was the work of a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost. More

Come December, NSW Police will formally kick off the modernisation project of its mainframe, after operating with the same core system for the last 24 years.
The project will see NSW Police, together with Unisys and Mark43, replace the force’s central database, which is used for everyday operations, including logging criminal incidents to intelligence gathering, and pressing charges, which will have a new integrated policing operation system (IPOS).
“After more than 20 years of trying to do something with the mainframe, I’m hoping we’ll finally crack it with IPOS, a born-in-the-cloud policing platform that will do the things that police need and deserve, in terms of a mobile-first digital platform,” NSW Police chief information and technology officer Gordon Dunsford told ZDNet.
Expected to take five years to complete, the IPOS project will be carried out in three phases.
The first phase — anticipated to take 18 months to finish — will see the delivery of new computer-aided dispatch (CAD) system, which would house everything from triple zero calls to crime reporting, as well as forensic management that will enable police to process DNA samples in real-time, instead of having to send them off to a lab.
Other modules that will be revamped as part of IPOS include investigation management, evidence and forensic data management, charge and custody management, and case management.
“It’s a marathon with lots of little sprints,” Dunsford said.
He added that one of the other key components in delivering the IPOS project would see NSW Police integrate with other law enforcement agencies and their systems, which will be possible through the organisation’s partnership with Mulesoft.
“For us going into IPOS sets us up for our future … we’re integrating in real-time with a lot of federal systems, a lot of other jurisdictions, right through to Interpol … from a technology perspective, so the integration platform for us is absolutely what we need, and it will take us into the future and beyond,” Dunsford said.
While delivering IPOS would be, as Dunsford has put it, the piece de resistance, there are other projects running alongside it.
This includes continuing the rollout of the NSW Police firearms registry to all firearm dealers across NSW, which began in August. Built using Salesforce, the platform has been designed to provide police and firearm dealers access to real-time information about firearms that are being bought, sold, and traded across borders.
“This will keep the community safer and help avoid incidents where people are getting firearms when they shouldn’t,” Dunsford said. 
Read: Cops are getting full URLs under Australia’s data retention scheme  
Additionally, the police force is also undergoing a cybersecurity transformation, which is being funded as part of the AU$240 million the NSW government set aside to bolster its cybersecurity capabilities.
“When I started, we didn’t really have a strong cyber capability,” Dunsford said. “We had firewalls and did all that very basic 1980s thing of putting firewalls all round the place. But putting a firewall ring around the organisation is not good enough in this world … [especially as] police is a target when it comes to cybersecurity people … because they want the joy of being able to break into a law enforcement organisation.”
NSW Police also recently went to market for its “integrated” connected officer program, which Dunsford described it as being “more or less an IoT project” that will involve replacing the frontline’s existing glocks, body-worn videos, tasers, and the technology in their cars.
As part of this project so far, two concept cars have been created and will shortly be field tested, Dunsford said. Each have been designed to create a “consumer feel” and features an in-car screen integrated with applications to enable computer dispatch, radio, messaging, automatic number plate recognition, light mode controls, and voice control.
The concept car also features nano-sat capabilities underpinned by work carried out in partnership with Starlink. 
“We’re starting to work with them on providing high-speed broadband to every police vehicle, and from there we can use it as a mini data centre … that sits on a vehicles’ CAN bus (controller area network), which is essentially the in-car technology we write or put applications onto,” Dunsford explained.
Dunsford said with all these projects going on, the organisation is starting to look a lot different — and for the better — than when he started with the force nearly three years ago.
He noted that the aim of the digital overhaul has been to shift the force from being focused on responding to crimes to preventing and disrupting crime. “The idea is to support police, and enable them to do their jobs not only smarter and faster but get outcomes for victims and prevent crimes,” Dunsford said.
He pointed out, for instance, since introducing an artificial intelligence-based video analytics platform NSW Police have been able to speed up their investigations, such as in the case against Mert Nay, who allegedly murdered one woman and stabbed another last August in Sydney.
“A homicide strike force was set up and they collected 14,000 pieces of CCTV. They would normally have had to go into a little dark room and then catalogue every little piece of that CCTV by the second to say, ‘Here he was on George Street after he committed the alleged murder before he ran up and down the street, and eventually, some civilians and firies got a milk crate over his head, and arrested him’.
“That normally would’ve taken detective months to go through … [but] using our insights platform, they were able to load the 14,000 pieces of CCTV and dashcam footage and do it in five hours.”
See also: How Victoria Police handled the Bourke Street incident on social media (TechRepublic)
At the same time, police officers no longer need to handle paper-based workflows and processes, following the digitisation of 200 disparate policing assets onto a single ServiceNow cloud-hosted platform called BluePortal.
“We’ve done that so [police] can order PolAir, dog squad, forensics, you name it, you bring them all to an event that a commander wants to run,” Dunsford continued. “For example, if you want to kick the door of a drug house, do a risk assessment, and spit out the operational orders, you can do that all on the Blue Portal platform.”
A similar experience has also been created for citizens on the NSW Police Community Portal. They can now use it to report a crime.
“All but extremely heinous types of crimes are put digitally now through our completely re-engineered designed and modernised community portal. You can now go on there and say, ‘I’ve been assaulted’. You can do that online on your mobile phone platform anywhere any time,” Dunsford said.
Related Coverage More

Even during COVID-19 times, Vietnam’s GDP growth has been remarkable. After several years of sitting at around 7%, it only dropped to 2.8% this year.
The nation also has a bold investment plan and a growing cybersecurity community.
But it also has strict rules such as a controversial cybersecurity law that targets “anti-state” content. It’s also the target of cyber attacks from nations such as China.

More Asian SMB focus on security More

In 2018, Singapore suffered its worst ever data breach when inadequate cybersecurity at SingHealth saw a quarter of the population’s medical records stolen.
The subsequent official review recommended remedies that should already be basic security policies.
Two years after the SingHealth hack, Singapore’s cybersecurity is being improved by everything from the fintech-oriented @-Wise Cybersecurity Centre of Excellence to mandatory standards for home routers.

More Asian SMB focus on security More

Image: US State Department
The US Department of State announced on Friday that it signed four more European nations to 5G security statements.
The Slovak Republic, Bulgaria, and North Macedonia all made a joint declaration with the United States, while Kosovo signed a memorandum of understanding. The text of all four were very similar.
“To promote a vibrant and robust 5G ecosystem, the Slovak Republic and the United States believe that a rigorous evaluation of suppliers and supply chains should take into account the rule of law; the security environment; ethical supplier practices; and a supplier’s compliance with security standards and best practices,” one of the declarations read.
The declarations fall under Washington’s Clean Network program announced in August to cover carriers, app stores, cloud computing, and subsea cables.
“Huawei, an arm of the PRC surveillance state, is trading on the innovations and reputations of leading US and foreign companies,” United States Secretary of State Mike Pompeo said at the time.
“These companies should remove their apps from Huawei’s app store to ensure they are not partnering with a human rights abuser.”
Since that time, the US has claimed that much of Europe — whether by government bans or major telcos choosing to not use equipment from Huawei or ZTE — have joined of its Clean Network program.
Also on Friday, Huawei announced its third-quarter results, which saw revenue increase almost 10% to 671 billion yuan, with its net margin sitting at 8%. At the same time last year, the company reported revenue grew 24% to 611 billion yuan, with the net margin being 8.7%.
“Throughout the first three quarters of 2020, Huawei’s business results basically met expectations,” the company said.
“As the world grapples with COVID-19, Huawei’s global supply chain is being put under intense pressure and its production and operations face significant challenges. The company continues to do its best to find solutions, survive and forge forward, and fulfill its obligations to customers and suppliers.”
Earlier last week, the Saudi Data and AI Authority (SDAIA) signed a partnership with Huawei to create a National AI Capability Development Program in the Arabian kingdom.
“Through the National AI Capability Development Program and our cooperation with Huawei, Saudi Arabia can not only continue acquiring the most cutting-edge technologies, but also learn from successful experiences internationally in adopting best practices,” CEO of the National Center for Artificial Intelligence at SDAIA Dr Majid Altuwaijri said.
SDAIA also signed a smart city agreement with Alibaba Cloud.
“Alibaba Cloud’s AI platform will empower KSA cities to intelligently manage city services and to create new smart solutions that will make them more resilient and responsive to the needs of the citizens,” SDAIA said.
Related Coverage
Huawei Mate 40 series: Flagship phones with limited appeal outside China
Huawei has launched an impressive-looking range of high-end Mate-series smartphones. But the US technology ban continues to cast a long shadow over the Chinese company’s operations.
Not in America? Forget about a mmwave 5G handset this year
Remember the bad old days of needing to scan phone specifications to note supported spectrum bands? They’re back.
Sweden bans Huawei and ZTE equipment from 5G rollout
The decision comes a few weeks ahead of the country’s 5G auction.
5G is no reason to buy the iPhone 12 – or any phone
Sorry, but 5G will not be giving your new iPhone, or any other 5G capable smartphone, super Gigabit speed almost anywhere. More

Is it too late?
I’m quite used to hearing that Microsoft has annoyed someone.

Usually, it’s a Windows user who’s angry about Redmond’s keenness to slip unwanted products onto their screens.
I was rather moved, then, to hear that Microsoft itself is enduring conniptions of the most fundamental kind.
You see, the company recently commissioned research company YouGov to ask 5,000 registered voters about their innermost feelings. One or two deeply felt highlights emerged.
90% of respondents admitted they’re worried every time they share their information online. 
70% privately pointed their fingers at the US government. They said it isn’t doing enough to protect their personal data.
A simliar 70% said they’d like to see the next administration enact privacy legislation.
How do I know this made Microsoft angry? Well, these details come from a bracingly seething blog post — published this week — from the company’s “Corporate Vice-President For Global Privacy and Regulatory Affairs and Chief Privacy Officer.”
Extraordinarily, we’re talking about just one person with all those titles, Julie Brill. She doesn’t think the US government is doing brilliantly.
Brill tried to rein in her irkdom. She began by talking about the importance of data in our new, more domestically confined world.
She said: “Data is critical not just in rebuilding our economy but in helping us understand societal inequalities that have contributed to dramatically higher rates of sickness and death among Black communities and other communities of color due to COVID-19. Data can also help us focus resources on rebuilding a more just, fair and equitable economy that benefits all.”
A fundamental problem, said Brill is the lack of trust in society today. In bold letters, she declared: “The United States has fallen far behind the rest of the world in privacy protection.”
I can’t imagine it’s fallen behind Russia, but how poetic if that was true.
Still, Brill really isn’t happy with our government: “In total, over 130 countries and jurisdictions have enacted privacy laws. Yet, one country has not done so yet: the United States.”
Brill worries our isolation isn’t too splendid. She mused: “In contrast to the role our country has traditionally played on global issues, the US is not leading, or even participating in, the discussion over common privacy norms.”
That’s like Microsoft not participating in the creation of excellent smartphones. It’s not too smart.
Brill fears other parts of the world will continue to lead in privacy, while the US continues to lead in inaction and chaos. It sounds like the whole company is mad as hell and isn’t going to take it anymore.
Yet it’s not as if Microsoft has truly spent the last 20 years championing privacy much more than most other big tech companies. In common with its west coast brethren, it’s been too busy making money.
Brill is undeterred. She tried to offer good news. Some states are taking the matter of privacy into their own jurisdictions. And then she offers words of hope that, to this reader at least, swim in baths of sarcasm: “There are also signs of real interest among some members of Congress.”
Real interest among members of Congress can often feel like real sincerity. You hope it’s there, but you suspect it’s not.
Yet I sense Brill doesn’t have too much hope in governmental action. So, spurred again by the company’s research, she turned to the corporate world.
“The YouGov study found that significantly more people believe companies bear the primary responsibility for protecting data privacy — not government,” she said.
Yet what do those companies do? They make privacy controls your responsibility, dear citizen. I dare say Microsoft has done that once or twice in its time.
“The large number of websites, devices and apps that people rely on to remain connected and engaged – a number that has grown even larger during this health crisis – makes it nearly impossible for individuals to navigate the privacy information overload and make informed decisions about how their data is used,” said Brill.
And then, in a perfectly chest-beating use of the plural, she added: “Too often, we deliver that information in notices difficult for lawyers and engineers to understand — much less consumers.”
Brill’s blog post is short on patience, but not short. It’s a withering exposition of what the tech world has wrought and how society has dissipated, especially during the last decade.
Just as there’s no trust in corporations’ protection of personal privacy, so there’s no trust in seemingly any facet of US society. Some might read Brill’s thoughts as if they’re in anticipation of — or even hoping for — a new administration that will embrace humanity more fully.
“Trust is essential,” concluded Brill. “It is time for government and business to work together to pass laws and reinvent practices to recognize the individual right to own and control personal data and to place the responsibility for protecting privacy where it belongs — on companies.”
I wanted to offer a grand hurrah. But then I was confronted by new research from the authors of “The Corporate Social Mind.”
The headline? “Germans trust companies more than Americans to address social issues.” More

CNIIHM, Moscow
Image: Google Maps
The US Treasury Department announced sanctions today against a Russian research institute for its role in developing Triton, a malware strain designed to attack industrial equipment.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Sanctions were levied today against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).
A FireEye report published in October 2018 identified CNIIHM as the possible author of the Triton malware.
The Triton malware, also known as Trisis or HatMan, is a piece of malware that was designed to specifically target a certain type of industrial control system (ICS) equipment — namely, Schneider Electric Triconex Safety Instrumented System (SIS) controllers.
According to technical reports from FireEye, Dragos, and Symantec, the malware was distributed via phishing campaigns. Once it infected a workstation, it would search for SIS controllers on a victim’s network, and then attempt to modify the controller’s settings.
Researchers said Triton contained instructions that could either shut down a production process or allow SIS-controlled machinery to work in an unsafe state, creating a risk of explosions and risk to human operators and their lives.
Triton almost caused an explosion at a Saudi petrochemical plant
The malware was first spotted after it was used successfully in 2017 during an intrusion at a Saudi petrochemical plant owned by Tasnee, a privately owned Saudi company, where it almost cause an explosion.
Since then, the malware has been deployed against other companies. Furthermore, the group behind the malware (known as TEMP.Veles or Xenotime) has also been seen “scanning and probing at least 20 electric utilities in the United States for vulnerabilities,” the US Treasury said today in a press release.
Today’s sanctions prohibit US entities from engaging with CNIIHM and also seize any of the research institute’s US-based assets.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

This style of sanctioning is significant and honestly entirely appropriate against those involved in the first ever cyber attack to intentionally try to kill people in civilian infrastructure. #TRISIS #TRITON https://t.co/dVzAn0kusq
— Robert M. Lee (@RobertMLee) October 23, 2020

Today’s Treasury sanctions end a week from hell for Russian state-sponsored hacking groups. On Monday, the US Department of Justice filed charges against six hackers part of the Sandworm group, believed to have created the NotPetya, KillDisk, BlackEnergy, and OlympicDestroyer malware.
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) exposed a recent hacking campaign of a Russian hacking group known as Energetic Bear.
On the same day, the EU also imposed sanctions on two Russian intelligence officers for their role in the 2015 German Parliament hack.
But as several security researchers pointed out today on Twitter, shortly after the Treasury announcement, the US may not have the moral high-ground, mainly because the US pioneered attacks against industrial systems through its work and deployment of the Stuxnet malware against Iran’s nuclear program in 2010.

They… uh… the Treasury realizes that we don’t really have the high ground to stand on here… right?*cough* Stuxnet *cough*
— MikeTalonNYC (@MikeTalonNYC) October 23, 2020 More

Image: Maria Teneva
Malware authors have managed to pass malicious apps through the Apple app notarization process for the second time this year and the second time in the past six weeks.

App notarization is a recent security protection formally introduced by Apple earlier this year.
It is a process that requires Mac app developers to submit their apps to Apple for a series of automated security scans that check for malware or other malicious code patterns.
Apps that pass through the scans are “notarized,” meaning they are added to a whitelist inside the Apple GateKeeper security service.
Once added to the GateKeeper whitelist, notarized apps can be opened and installed with a simple click, without any warnings or popups.
App notarization has been mandatory for all apps that want to run on Apple’s newest macOS releases, like Catalina and Big Sur.
The notarization process has been warmly received by both app users and developers, as it removed some of the friction of installing apps on macOS.
First wave of notarized malware
However, similar to Bouncer, the automated security system that scans Android apps before they are uploaded on the Google Play Store, Apple’s app notarization process was never expected to be perfect.
The first malicious apps that managed to pass through the notarization process and get whitelisted on newer versions of macOS were discovered at the end of August[1, 2].
In total, 40 apps passed through, apps that were infected with the Shlayer trojan and the BundleCore adware.
Second wave of notarized malware
But in a report published this week, Joshua Long, Chief Security Analyst for Mac security software maker Intego, said his company discovered six new apps that passed through the notarization process.
The six notarized apps posed as Flash installers, Long told ZDNet today. Once installed, the apps would download and install the OSX/MacOffers adware.
“OSX/MacOffers is best know for modifying the search engine in the victim’s browser,” Long told ZDNet.
Long said the six apps have now been de-notarized.
“Apple revoked the developer certificate while the malware was under investigation, before we had a chance to report it to Apple,” Long told us.
“It’s unclear how Apple became aware of it; perhaps they might have gotten a report from another researcher investigating the malware, or perhaps from a Mac user who encountered it in the wild.”
With Adobe set to retire Flash at the end of the year, Long urged users to stop downloading and installing Flash installers. More