Information Technology

The National Australia Bank (NAB) has launched a bug bounty program, offering a reward to security researchers who uncover previously undisclosed vulnerabilities in the bank’s environment.
The bank has partnered with crowdsource security firm Bugcrowd for the new program. To participate, individuals must have an “Elite Trust Score” on the Bugcrowd platform.
NAB executive of enterprise security Nick McKenzie said using “controlled crowdsourcing” methods would assist NAB to further test and strengthen its existing cybersecurity capabilities.
“Controlled, crowdsourced cybersecurity brings together uniquely skilled testers and security researchers with fresh perspectives to uncover vulnerabilities in our defences that traditional assessment might have missed,” McKenzie said.
“Proactive cybersecurity measures are vital in today’s hyperconnected environment where new threats are constantly emerging.”
McKenzie said moving to a paid bounty system gives NAB the opportunity to “attract a wider pool of ethically-trained security researchers from across the globe”.
“Diversity is a critical yet often overlooked factor in security and controls strategies,” he added.
NAB in July last year admitted that some personal information on approximately 13,000 customers was uploaded, without authorisation, to the servers of two data service companies.
The compromised data included customer name, date of birth, contact details, and in some cases, a government-issued identification number, such as a driver’s licence number.
NAB in early 2017 also admitted it sent the details of approximately 60,000 customers to an email address on a global domain rather than its .au address.
It is understood customer information was sent in error to an nab.com address rather than an email address on the nab.com.au domain.
Meanwhile, Bugcrowd in April raised another $30 million in its Series D round, bringing its total funding to over $80 million.
The company is based in San Francisco.
MORE FROM NAB More

Image: Jacob Creswick

A hacker has gained access and exfiltrated data from a federal agency, the Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday.
The name of the hacked federal agency, the date of the intrusion, or any details about the intruder, such as an industry codename or state affiliation, were not disclosed.
CISA officials revealed the hack after publishing an in-depth incident response (IR) report detailing the intruder’s every step.
The report, which ZDNet analyzed today, reveals how the intruder gained access to the federal agency’s internal networks through different channels, such as leveraging compromised credentials for Microsoft Office 365 (O365) accounts, domain administrator accounts, and credentials for the agency’s Pulse Secure VPN server.
CISA said the attacker logged into Office 365 accounts to view and download help desk email attachments with “Intranet access” and “VPN passwords” in the subject line. Attackers searched for these files despite already having privileged access to the agency’s network, and most likely in an attempt to find additional parts of the network they could attack.
The attacker also accessed the local Active Directory, where they modified settings and studied the structure of the agency’s internal network.
To have a quick way back into the federal agency’s network, the hackers installed an SSH tunnel and reverse SOCKS proxy, custom malware, and connected a hard drive they controlled to the agency’s network as a locally mounted remote share.
“The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA analysts said.
Furthermore, the attacker also created their own local account on the network. By analyzing forensic evidence, CISA said the hacker used this account to browse the local network, run PowerShell commands, and gather important files into ZIP archives. CISA said that it couldn’t confirm if the attacker exfiltrated the ZIP archives, but this is what most likely happened in the end.
In addition, CISA said the malware the hackers installed on the federal agency’s network “was able to overcome the agency’s anti-malware protection, and inetinfo.exe [the malware] escaped quarantine.”
Nonetheless, investigators said they detected the intrusion via EINSTEIN, CISA’s intrusion detection system that monitors federal civilian networks from a vantage point and was able to compensate for the attacker bypassing local anti-malware solutions. More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Microsoft said today that it removed 18 Azure Active Directory applications from its Azure portal that were created and abused by a Chinese state-sponsored hacker group.
The 18 Azure AD apps were taken down from the Azure portal earlier this year in April, the Microsoft threat intelligence team said in a report published today.
The report described the recent tactics used by a Chinese hacker group known as Gadolinium (aka APT40, or Leviathan).
The Azure apps were part of the group’s 2020 attack routine, which Microsoft described as “particularly challenging” to detect due to its multi-stage infection process and the broad use of PowerShell payloads.
These attacks began with spear-phishing emails aimed at the target organizations, carrying malicious documents, usually PowerPoint files with a COVID-19 theme.
Victims who opened one of these documents would be infected with PowerShell-based malware payloads. Here is where the malicious Azure AD apps would also come into play.
On infected computers, Microsoft said the Gadolinium hackers used the PowerShell malware to install one of the 18 Azure AD apps. The role of these apps was to automatically configure the victim’s endpoint “with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.”

Image: Microsoft
By removing the 18 Azure AD apps, Microsoft crippled the Chinese hacker group’s attacks, at least for a short while, but it also forced the hackers to re-think and re-tool their attack infrastructure.
In addition, Microsoft said it also worked to take down a GitHub account that the same Gadolinium group had used as part of its 2018 attacks. This action may not have had an impact on new operations, but it did prevent the hackers from reusing the same account for other attacks in the future.
Microsoft’s actions against this Chinese hacker group aren’t an isolated case. Over the past few years, Microsoft has consistently intervened to take down malware infrastructure, may it have been used by low-level cybercrime operators or by high-end state-sponsored hacker groups.
In previous interventions, Microsoft also targeted the infrastructure used by other nation-state groups, tied to Iranian, North Korean, and Russian cyber-operations. More

Image via Yucel Moran

Twitter said today it’s been working over the past months to bolster its internal security by requiring staff to go through additional security training, engaging in penetration tests, and by deploying hardware security keys to all employees.
The measures announced today are part of Twitter efforts to prevent a repeat of the July 2020 hack during the US presidential election later this fall.
In July this year, hackers phished Twitter staffers, gained access to its internal platform, and then tweeted a cryptocurrency scam via high-profile and verified accounts. Some of the defaced accounts belonged to political figures, including presidential candidate Joe Biden.
Twitter learned a hard lesson in July, but in a blog post today authored by Parag Agrawal, Twitter Chief Technical Officer, and Damien Kieran, Twitter Data Protection Officer, the company said it learned its lesson and has taken corrective actions.
Staff to go through security training more often
The first of these was to require that all new hires go through a “Security and Privacy & Data Protection training.”
Second, Twitter also introduced new courses and increased the frequency and availability of existing courses for all employees.
Third, Twitter also introduced two new mandatory training sessions for people who have access to non-public information stored in its backend tools.
“These trainings make clear the dos and don’ts when accessing this information and ensure employees understand how to protect themselves when they are online so they can better avoid becoming phishing targets for attackers,” Agrawal and Kieran said today.
Twitter employees now use hardware security keys
Additional changes were also made to secure coding, threat modeling, privacy impact guidelines, so future in-house backend tools would be developed with more security features from the get-go.
But since the July hack started from a phishing attack, Twitter employees also received hardware security keys from the company. Employees are to use these security keys to access various sections of Twitter’s infrastructure.
Even if an attacker gets ahold of a Twitter’s employee’s credentials, the security key makes it impossible for the attacker to access any Twitter service without the proper key attached to each username and password pair.
Twitter underwent penetration tests
However, Twitter is also keeping its eye on the big picture, which are the upcoming US presidential elections, a consequential event in US history, during which the company expects to possibly be targeted again.
To prepare for this, Agrawal and Kieran said Twitter has been subjecting its staff to penetration tests to test its own platform’s security in a controlled environment.
“Specifically, over a five month period from March 1 to August 1, Twitter’s cross-functional elections team conducted tabletop exercises internally on specific election scenarios,” Agrawal and Kieran said.
“Some of the topics included: hacks and other security incidents, leaks of hacked materials, platform manipulation activity, foreign interference, coordinated online voter suppression campaigns, and the post election day period.”
Other measures the company has taken to safeguard the US elections and limit foreign interference were to impose new security rules for US political accounts, launch a dedicated US election hub to counter misinformation, and tweak its rules on what counts as election misinformation. More

Hacker wearing a suit and mask in front of computer
Getty Images/iStockphoto

Polish authorities have shut down today a hacker super-group that has had its fingers in a multitude of cybercrime operations, such as ransomware attacks, malware distribution, SIM swapping, banking fraud, running fake online stores, and even making bomb threats at the behest of paying customers.
Four suspects where arrested this week, and four more are under investigation.
According to reports in Polish media, the hackers have been under investigation since May 2019, when they sent a first bomb threat to a school in the town of Łęczyca.
Investigators said that an individual named Lukasz K. found the hackers on internet forums and hired them to send a bomb threat to the local school, but make the email look like it came from a rival business partner.
The man whose identity was spoofed in the email was arrested and spent two days in prison before police figured out what happened.
When the framed businessman was released out of jail, he hired a famous private investigator to track down the culprits behind the fake bomb alert.
Investigators said that when the hackers realized what was happening, they then hacked a Polish mobile operator and generated invoices for thousands of zlotys (the Polish currency) in the name of both the detective and the framed businessman.
Bomb threats against 1,066 kindergartens
Other bomb threats were also linked to the hacker group, such as bomb threats against the Western Railway Station in Warsaw, Poland’s capital.
But the most notorious incident the hackers were linked to took place in June 26 and 27, 2019, when they were hired to send bomb threats to 1,066 kindergartens across Poland.
In total, 10,536 people from 275 kindergartens were evacuated following their email threats, according to Polish TV station TVN24.
Investigators said that for each fake bomb threat they sent, the hackers asked for 5,000 zlotys (~$1,300) in payment.
Ransomware, RATs, phishing, SIM swapping
But Polish authorities said this wasn’t the group’s only method of income. While police started looking into the hackers because of the bomb threats, they also discovered a long list of crimes that tied back to the group’s members across the years.
Most of the time, the hackers distributed malware via email phishing attacks. Polish tech news site Otopress reports that the group was linked to 87 different domains used to distribute malware.
Infosec news site Zaufana Trzeciastrona (Trusted Third Party), said the group was involved in the distribution of malware strains for both Windows and Android devices, such as Cerberus, Anubis, Danabot, Netwire, Emotet, and njRAT. All in all, authorities put the number of infected victims in the thousands.
Investigators said that from infected users, the hackers would steal personal details, which they’d use to steal money from banks with weak security.
In case some banks had implemented multiple authentication mechanisms, the group would then use the information they stole from infected victims to order fake IDs from the dark web, and then use the IDs to trick mobile operators into transferring the victim’s account to a new SIM card.
Using this SIM card, the hackers would then reset passwords for the victim’s online accounts or bypass two-factor authentication (2FA) to steal money from victims.
Polish media says the group was able to steal 199,000, 220,000 and 243,000 zlotys ($50,000, $56,000, and $62,000) in three separate incidents using this technique.
The hackers also tried to steal 7.9 million zlotys ($2 million) from one victim, but this hack was stopped when the bank called the victim’s phone number to confirm the transaction. Because the victim’s phone number was SIM-swapped, the bank official reached the hackers and didn’t recognize its regular customer’s voice from previous conversations, and blocked the transaction.
Group also ran fake online stores
Furthermore, Polish officials also said the group also created 50 fake online stores where they sold nonexistent products to defraud more than 10,000 buyers.
According to Zaufana Trzeciastrona, the hacker group’s members arrested today were:
Kamil S., also known under his hacker handle of “Razzputin,” and a member active on many Russian-speaking hacker forums like Exploit and Cebulka.
Pawel K., operating under the pseudonym “Manster_Team,” mostly involved in banking crime
Janusz K., involved in most crimes in one form or another
Lukasz K., described as an important figure in the underground world.
Four others — Mateusz S., Radosław S., Joanna S. and Beata P. — are also under investigation for ties to the group.
Europol also issued a press release today about the hacker group’s arrests, suggesting that they most likely made victims outside Poland as well. More

BlackBerry’s fiscal second quarter was better than expected largely due to its Spark security software suites, which have seen strong demand due to the remote work trend.
The company, which provides security, device management and software for automobiles and infotainment systems, reported a second quarter net loss of 4 cents a share on revenue of $259 million. Non-GAAP earnings for the quarter were 11 cents a share to top estimates by 9 cents a share.
BlackBerry didn’t provide an outlook for fiscal 2021 due to the COVID-19 pandemic. The company said it saw recovery in its QNX business, which was hampered by a decrease in auto production.
CEO John Chen, however, did note that QNX was landing design wins and positioned well for the future.
But much of the focus was on BlackBerry’s Spark business.
Chen said:

The Spark Suites combine Blackberry unified endpoint management, the UEM, and unified endpoint security, the UES. We combined the 2 products in one single pane of glass. The Spark Suites were launched at the end of our first fiscal quarter, and since then, customer interest has been strong and demand is growing. In the quarter, a number of high-profile customer purchases our Spark Suite, including the United States Air Force, which upgraded over 90,000 users from UEM to a Spark Suite. Other wins including U.K. Ministry of Defense, Royal Canadian Mint, Anko, Banco de México, New Zealand Ministry of Foreign Trade, Rolls Royce, Lloyds Bank, Société Générale and Mitsubishi, just to name a few.

Chen said BlackBerry continues to see momentum for its Spark Suite due to work from anywhere arrangements and the security BlackBerry provides.
The irony of BlackBerry’s security success is that it is driven by remote work, a trend that Chen isn’t thrilled about.

Personally, I believe if everybody worked from home forever, it will hurt productivity. It will hurt innovation. But I think there will be a hybrid model that’s being developed.

Nevertheless, BlackBerry’s Chen said demand for mobile and endpoint security will remain strong as working arrangements are worked out. More

Almost two and a half million Android and iPhone users downloaded seven adware apps from the Google Play Store and Apple App Store, according to research by a cybersecurity company.
Many of the apps were being promoted via TikTok and Instagram accounts – one of which had over 300,000 followers. Detailed by cybersecurity researchers at Avast, the apps have been brought to the attention of Apple and Google.
The apps themselves are all relatively simple – prank applications to ‘shock’ friends, music downloaders and wallpaper apps, but they all aggressively display pop-ups which either outright charge users for using additional functions, or display adverts that take up the entire screen, requiring users to click on them to remove them. Both schemes generate revenue for those behind the apps.
One of of the ways the apps have managed to bypass security protections of official Android and Apple app stores is because they’re HiddenAds trojans, which while appearing legitimate to app store protections, push malicious functionalities from outside the application.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
That means the activity only emerges once the app has been installed by the user and the permissions provided enable the app to receive instructions from outside the app – which in this case is to display intrusive adverts and demand individual charges of up to $8 from users.
“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed,” said Jakub Vávra, threat analyst at Avast.  
The apps that have been removed from Google Play include ThemeZone – Shawky App Free – Shock My Friends, Ultimate Music Downloader – Free Download Music. Another set of apps including Shock My Friends – Satuna, 666 Time, ThemeZone – Live Wallpapers and shock my friend tap roulette v are no longer available from the Apple App store in the UK.
While adware, malware and other malicious apps can be difficult to identify, one way users can protect themselves is by not installing them in the first place and by carefully reading reviews of apps because low reviews and complains about functionality or excess charges could indicate something is wrong.
Users should also be wary of apps which charge excessive amounts for basic features as it’s likely a sign that something isn’t right, while it’s also a good idea to check the permissions the app asks for, because asking for excessive access to the device could also be a sign that something isn’t right.
The researchers note that one of the apps requests access to a device’s external storage, which can include photos, videos, and files, depending on how the storage is used. “Accessing external storage is not a must for a wallpaper app,” said Vávra.
“So rather than just tapping “Allow,” the next time a new app asks for certain permissions, take a minute to think about whether or not it really needs that access. Does a weather app need to access your microphone? Nope. Does a wallpaper app need to access your storage? Nope. That’s a sign the app is likely a scam,” he added.
Google told ZDNet that the offending apps have been removed from the store – although ZDNet has informed Google that at the time of writing one remains. Apple hasn’t responded to a request for comment.

READ MORE ON CYBERSECURITY More

Special Feature

Cloud – How to Do SaaS Right
Software as a Service offers irresistible benefits for organizations of all sizes — from cost savings to scalability to mobile accessibility.
Read More

The UK Information Commissioner’s Office (ICO) has fired a warning shot at companies trying to milk the COVID-19 pandemic for profit by fining a spam-happy marketing firm. 
On Thursday, the consumer protection and data watchdog said that Digital Growth Experts Limited (DGEL), a company registered in London which previously operated as Motorhome Brokers Ltd., “flouted the law in order to profiteer from the coronavirus pandemic.”
TechRepublic: Coronavirus: What business pros need to know
The ICO claims that DGEL sent over 16,000 cold, nuisance marketing texts to UK consumers between February and April this year — at the height of the pandemic’s first wave.  DGEL’s “profiteering” messages offered hand sanitizers to the general public, together with the promise that the products were “effective against coronavirus.”
The hand sanitizer, called “Zoono,” was offered on Zoono.io, a website set up by the company. Now, visiting the domain leads to a US eBay store offering the same product, but there is no mention of COVID-19 or its apparent protection against the virus. 
CNET: Coronavirus scams: How to protect yourself from identity theft during COVID-19
The spam messages were sent via Voodoo SMS, a bulk SMS message platform. According to the ICO, DGEL claimed to have obtained its marketing list via “website lead capture,” but regulators were not satisfied that this explanation could be considered a legal, soft opt-in marketing program. 
Current UK legislation says that “a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.”
See also: GDPR: 160,000 data breaches reported already, so expect the big fines to follow
In other words, under UK law — in particular, the Privacy and Electronic Communications Regulations 2003 (PECR) — unwanted solicitation via email and text is illegal, and in this case, no substantial evidence of consent from subscribers receiving marketing messages from DGEL was found. 
As a result, the ICO has fined the company £60,000 ($76,000). 
“DGEL played upon people’s concerns at a time of great public uncertainty, acting with a blatant disregard for the law, and all in order to feather its own pockets,” commented Andy Curry, Head of Investigations at the ICO. “We will prioritize action on organizations carrying out similar activity.” More