Information Technology

MITRE and cyber-security industry partners have launched a new project that promises to offer free emulation plans that mimic today’s biggest hacking groups in order to help train security teams to defend their networks.
Named the Adversary Emulation Library, the project is the work of the MITRE Engenuity’s Center for Threat-Informed Defense.
The project, hosted on GitHub, aims to provide free-to-download emulation plans.
Emulation plans are a collection of step-by-step guides, scripts, and commands that describe and perform malicious operations commonly observed in the playbook of a specific adversary.
The goal of an emulation plan is to test network defenses and see if automated security systems or human operators detect attacks before, during, and after they’ve taken place — and then update security procedures to account for any lapses.
First emulation plan — FIN6
The first entry in MITRE’s Adversary Emulation Library is an emulation plan for FIN6, one of today’s biggest financially-motivated cybercrime groups.
FIN6 has been active since 2015 and is primarily known for targeting companies operating high-traffic POS (Point-of-Sale) payment terminals, where it compromises internal networks to install POS malware that steals payment card information.
The FIN6 plan is the first of many that MITRE intends to make freely available in the coming months.
The plans are being put together by MITRE and multiple industry partners that are part of MITRE Engenuity, a non-profit currently comprised of 23 organizations from around the globe with highly sophisticated security teams.
Microsoft, Fujitsu, and AttackIQ are MITRE Engenuity members and worked with MITRE on the FIN6 plan released today.
Prior to establishing the MITRE Engenuity non-profit to work on these plans and make them available for free, the MITRE Corporation previously released two other emulation plans, the first for APT3 (Chinese state-sponsored hacking group) in 2017, and a second one for APT29 (Russian state-sponsored hacking group) earlier this year in 2020.
The positive feedback from these two releases inspired MITRE leadership to work on codifying a structure for emulation plans together with industry partners, according to a blog post published earlier this week by Jon Baker, Department Manager at The MITRE Corporation.
A little known fact about FIN6 is that the group also sometimes dabbles in deploying ransomware on some of the networks it hacks, along with Magecart-like skimmers, small details that are included in MITRE’s FIN6 emulation plan, something that speaks about the quality and accuracy of the documents released today.
Until MITRE Engenuity releases additional plans, security teams looking to quench their curiosity can also take a look at the adversary emulation plans released by Scythe over the summer.

General structure of the FIN6 emulation plan More

There’s been a sharp rise in sophisticated hands-on hacking campaigns over the course of this year, with the first six months of 2020 seeing more of these intrusions than the total number for the whole of 2019.
A hands-on intrusion is when human hackers actively explore compromised systems themselves rather than relying on programmed scripts which perform automated tasks.
The rise in attacks is attributed to a combination of cyber criminals continuing to evolve their tools, techniques and procedures, as well as the way hacking groups have exploited the rise in remote working driven by the COVID-19 pandemic as a means of gaining access to accounts and networks.
The findings are detailed in Crowdstrike’s Threat Hunting Report 2020, based on potential ‘hands-on’ intrusions identified by the cybersecurity company’s team. The first half of 2020 saw 41,000 intrusions, a higher figure than the 35,000 detected during all of 2019 according to the company.
“The most alarming thing from a 2020 perspective has been the volume and the reach of the amount of intrusions we’ve observed,” Jennifer Ayers, VP at Crowdstrike told ZDNet.
“Keep in mind that the report is essentially the first half of the year and in half a year we’ve already significantly exceeded the volume of what we observed in 2019 and 2018. It’s really a testament to how troubled the landscape truly is”.
The hands-on campaigns are based around hackers gaining access to the network – often via leaked or stolen credentials to an employee account or an exposed RDP server – then using the legitimate access those accounts or systems offer to move across the network, gradually securing the means to gain more and more access. And because this is gained legitimately, it’s often difficult to notice unusual activity.
SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | Download the PDF version  
It used to be that this type of sophistication was reserved for nation-state backed hacking groups, but now it’s regularly demonstrated by cyber criminal gangs too.
“Hands-on keyboard sophistication used to be just the domain of nation-states. As we’ve seen more and more criminal organisations start to explore that we’ve really saw the explosion,” said Ayers.
“Sophistication has definitely changed over the last two years and we’re seeing much, much more of that in 2020”.
But while nation-states are using these intrusions for cyber espionage campaigns and stealing intellectual property, cyber criminal groups are often using these kinds of intrusions to lay down the ground work for expansive ransomware campaigns which result in whole networks being encrypted and millions of dollars being demanded in return for the decryption key.
According to the report, almost all sectors have seen an increase in intrusive cyber attacks over the course of this year, with technology, telecommunications and finance some of the most frequently targeted. Manufacturing has also seen a dramatic increase in attacks, rising to the second most targeted industry this year when it didn’t feature in the top ten in 2019.
However, despite the increasing number of hands-on, sophisticated hacking campaigns, it’s still very much possible for organisations to protect themselves from attacks by following security basics such as applying patches and security updates, and avoiding the use of vulnerable passwords.
“Keep with the basics of security. If there’s one area you should really be focusing on it’s on your perimeter, make it difficult for them to get in in the first place. Keep security awareness going and make sure your employees know that a lot of hacks still start with phishing emails,” Ayers said.
Multi-factor authentication can also play a vital role in protecting users and systems.
“There’s so many ways to do this, it’s not remotely expensive anymore. And so for ten bucks to enable multi-factor authentication, just pay the ten bucks. Because it’s going to be better than paying millions after a ransomware attack,” Ayers said.
READ MORE ON CYBERSECURITY More

Tencent is looking to set up its Southeast Asian base in Singapore where it currently is looking to fill dozens of job positions. The move comes amidst China’s worsening relations with the US and India, which have led to Chinese apps being banned in both countries. 
In a statement sent to ZDNet and other media outlets, Tencent said it was “expanding its business presence” in Singapore to support the company’s expansion in Southeast Asia. It added that the new Singapore office would be a “strategic addition” to its current offices in Malaysia, Indonesia, and Thailand. 

Tencent added that the new outfit would allow the company to tap the rapid pace of digitisation and meet demand for internet-based services in Singapore. It did not provide any investment figures.
A quick check on LinkedIn showed dozens of job openings in the city-state from the Chinese tech giant, including roles in business development, data science, cloud, WeChat product operations, and security. 
Its expansion plans in Singapore comes amidst China’s increasingly tensed relationships with the US, where Donald Trump last month issued executive orders banning Chinese apps, specifically, TikTok and WeChat, in his country. The Indian government followed suit early this month, restricting 118 apps it alleged were “stealing and surreptitiously transmitting” of user data to servers outside of India. Amongst these were apps from Baidu, WeChat, AliPay, and Sina News.
Tencent in March had launched an international version of its cloud-based video conferencing tool, called Tencent Meeting or VooV Meeting on app stores, in more than 100 markets, including Singapore, India, Japan, Thailand, and Malaysia. 
Often dubbed as Asia’s Switzerland for its staunch neutrality, Singapore had said it would not take sides in global disputes and viewed both China and the US as “good friends”. Singapore’s Prime Minister Lee Hsien Loong had noted that US was a major defence security partner, which purchased advanced military equipment from Singapore, including missiles and military aircraft, while Singapore also had economic partnerships with China that included three major city projects between both governments in Suzhou, Tianjin, and Chongqing.
Tiktok’s parent company ByteDance reportedly was looking to set up its Asian hub in Singapore, where it planned to invest several billion dollars. Citing sources familiar with the issue, a Bloomberg report said the Chinese company would hire hundreds over the next three years and had applied for a digital bank license in Singapore. 
RELATED COVERAGE More

US prosecutors and Daimler AG have agreed on a settlement worth $1.5 billion to lay to rest the emissions cheating scandal. 

On Monday, the US Department of Justice (DoJ) said the deal, proposed between the DoJ, Environmental Protection Agency (EPA), California Air Resources Board (CARB), and Daimler — as well as its US subsidiary Mercedes-Benz USA — will wipe the slate clean when it comes to allegations of violating the US Clean Air Act.
Under the terms of the settlement, set in the US District Court for the District of Columbia, Daimler will agree to pay $945 million in penalties, civil and otherwise. In addition, the automaker will recall and repair every Mercedes-Benz diesel vehicle sold in the US with a defeat device, the gadget at the heart of the emissions scandal. 
The emissions scandal involving Volkswagen and Daimler came to light back in 2016. So-called “clean diesel” engines were developed to enable the sale of vehicles in the United States, but engineers realized the engines were pumping out more nitrogen oxide (NOx) than legally allowed.
See also: Volkswagen engineer sentenced over emissions cheating scandal
Defeat devices were developed to ensure tests in laboratories would show that clean diesel vehicles conformed to US laws, but in real-world situations, NOx levels were far higher. 
The discrepancy and defeat devices were discovered by the US Environmental Protection Agency (EPA) and the California Air Resources Board (CARB), leading to the complaint. Volkswagen was previously ordered to pay up to $14.7 billion to resolve Clean Air Act violation charges. 
The DoJ says that Daimler must recall and repair vehicles sold in the US between 2009 and 2016. At no cost to customers, the company will remove defeat devices and update vehicle software to bring cars in line with US environmental laws. 
In addition, the Stuttgart, Germany-based company must extend warranties for updated software and hardware in the repaired vehicles, and launch “projects” to further reduce NOx emissions from these vehicles.
CNET: 2022 Hyundai Tucson unveiled with bold style, hybrid and plug-in options
These projects are expected to cost Daimler roughly $436 million, while another $110 million has been earmarked for mitigation projects in California alone. The settlement is worth approximately $1.5 billion in total. 
A deadline has been set for repairs, too. Daimler is not being allowed to drag its feet, with the imposition of a two-year period to repair at least 85% of cars, and a three-year timeline has been set to patch up at least 85% of affected vans. Repaired vehicles must be tested once a year for the next five years to ensure they meet environmental standards.
If Daimler does not meet these targets, the DoJ warns that the automaker “will face stiff penalties.” 
TechRepublic: 3 crucial security policies you need to strengthen your network defenses
Furthermore, the automaker is required to implement new internal procedures, including testing both diesel and gas engines properly in real-world conditions, creating a whistleblower channel, and performing internal audits available for review by an external consultant. 
“By requiring Daimler to pay a steep penalty, fix its vehicles free of charge, and offset the pollution they caused, today’s settlement again demonstrates our commitment to enforcing our nation’s environmental laws and protecting Americans from air pollution,” Deputy Attorney General Jeffrey Rosen commented.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The federal government is hoping to “modernise” and “streamline” its use of the data it holds as well as set guidelines on how it shares that data between agencies and with the private and research sectors.
An exposure draft of the Data Availability and Transparency Bill 2020 was published this week, with Minister for Government Services Stuart Robert delivering the message that the data reforms presented in the draft Bill are an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.
See also: Consuming government services like Netflix: Minister Robert’s pipedream for Australia
“The reforms encourage our academics and the research community to innovate and find new insights from public sector data without having to go through stifling and vague bureaucratic processes when working with data custodians,” the draft Bill’s consultation paper [PDF] says.
The government initially announced its intentions to introduce the Data Availability and Transparency Act (DATA) in May 2018 when it stood up the Office of the National Data Commissioner (NDC) to draft the legislation in response to the 2016 Productivity Commission Data Availability and Use report.
The government in 2018 also pledged AU$65 million to “reform” the Australian data system, with the National Data Advisory Council then being established the following year to provide advice to the NDC on ethical data use, community expectations, technical best practice, and industry and international developments.
The new Bill, in a nutshell, creates a scheme of controlled access to public sector data.
“When data is shared, access is granted to users in a controlled manner, for example, under memoranda of understanding or through contracts. Currently, sharing is done in an ad hoc manner, with users potentially having to establish their credentials every time they interact with the system,” the paper continues.
“Sharing is subject to legislative protections and the individual agencies’ interpretations of them. Often interpretations are not revisited as technology evolves and community expectations around reasonable use and reuse of data change.
“This sharing space is ripe for reform. Modernising the safeguards and regulating the sharing space can enable Australians to benefit from better services, policies, programs, and research.”
The Bill aims to: Promote better availability of public sector data, enable consistent safeguards for sharing public sector data, enhance integrity and transparency in sharing public sector data, build confidence in the use of public sector data, and establish institutional arrangements for sharing public sector data.
According to the paper, the Bill would provide an alternative pathway to share data where it is currently prevented by secrecy provisions or where it simplifies existing pathways.
“The Bill will authorise sharing of public sector data by data custodians with an accredited user, only for the permitted data sharing purposes and only if effective safeguards are in place,” the paper adds.
Under the proposed legislation, data would only be shared for three purposes: Government services delivery, informing government policy and programs, and research and development.
The Bill does not authorise sharing for precluded purposes, including law enforcement or national security purposes. It also excludes the sharing of operational data and evidence before courts, tribunals, and certain agencies with oversight or integrity functions.
It also stipulates that the five data sharing principles would need to be applied for each data sharing project. The data sharing principles are based on the Five Safes Framework that already guides several agencies on how to safely share data; that is, data is shared only for appropriate projects, only with appropriate people, and in an appropriately controlled environment. In addition, only the appropriate data is shared and outputs need to be as agreed and appropriate for future use.
In a discussion paper in September 2019, the federal government tweaked what it proposed the year prior by removing a fundamental element of privacy — consent.
It proposed that the Data Sharing and Release legislation not require consent for the sharing of personal information.
“Instead, we are placing the responsibility on data custodians and accredited users to safely and respectfully share personal information where reasonably required for a legitimate objective,” the discussion paper said.
The government’s position on consent has since become more nuanced, with the paper saying that any sharing of personal information is to be done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent.
“For projects where data scheme entities do not seek consent, other safeguards outlined by the data sharing principles can be dialled up to protect privacy,” it added.
The NDC is empowered under the Bill to provide advice, guidance, regulatory, and advocacy functions in order to oversee the scheme.
“The Commissioner will promote better sharing and release of public sector data by driving cultural change and supporting capability building among data scheme entities,” the paper continues.
The Commissioner would also accredit entities to “build trust in the system, and standardise and streamline existing processes”.
“Now more than ever, it is clear that we need to get better at using the information we already collect, instead of asking the same questions again and again,” Robert said.
“For too long, there has been a lack of a consistent and clear framework for making good use of data. We need to make sure the information the government collects and holds can be accessed in a safe and timely way to respond to the needs of Australians.”
Submissions on the exposure draft close 6 November 2020.
RELATED COVERAGE More

Getty Images/iStockphoto
Telstra has taken the wraps off a pilot program that will see it block fake messages claiming to be from myGov or Centrelink before they hit the phones of the telco’s customers.
The telco worked with the Australian Cyber Security Centre (ACSC) and Services Australia on the layer 3 blocking effort.
Telstra CEO Andy Penn told ZDNet that the program has completed its proof-of-concept stage and would be fully rolled out across its network by the end of the year.
Penn also said involving the ACSC allowed for information sharing between government and industry, and by sharing information there was a greater chance of mitigating malicious acts.
“It’s not so much that ACSC has got something that we don’t, or we’ve got something the ACSC doesn’t have — we both look at the world through a different lens, and we have both have access to information, probably, that the other party doesn’t,” he said.
If the pilot is successful, it would then be rolled out to other Australian telcos, Minister for Defence Linda Reynolds told ZDNet.
“This is a national problem that requires a truly collaborative national approach,” she said.
Earlier, the minister said the number of malicious texts had not increased significantly due to the coronavirus pandemic.
“What has changed is that cyber criminals are getting better at adopting their tradecraft,” Reynolds said.
“They are exploiting people’s concerns, and also their desire for information during COVID-19.”
Reynolds added the messages directed people to sites where malware could be installed and personal information is obtained.
Telstra in May unveiled its Cleaner Pipes program to fight malware passing through its network.
The initiative focuses on blocking command and control communications of botnets, the downloading of remote access trojans, as well as other forms of malware. The telco said at the time it was already blocking “millions of malware communications” when the traffic hits its infrastructure.
“This action reduces the impact of cyber threats on millions of Telstra’s customers including stopping the theft of personal data, financial losses, fraudulent activity and users’ computers being infected with malware. We know many consumers and small businesses do not have the resources to adequately protect themselves,” Penn said.
“Cleaner Pipes means we are able to more actively block cyber threats on our network that would compromise the safety of our customers’ personal information. While it will not completely eliminate the risk, or substitute appropriate threat protection, it will contribute to significantly reducing the volumes and impact.”
Should Telstra customers click on a blocked link, they will be presented with a block page. The telco also said in May it had been trialling Cleaner Pipes for a year, and this had sat alongside its efforts to block malicious SMS and scam calls. Telstra said it blocks over half a million scam calls each month.
In July, a Penn-chaired industry advisory panel recommended in its report that ACSC be able to “disrupt cyber criminals on the Dark Web and to target the proceeds of cybercrime” and hold malicious actors accountable through law enforcement, diplomacy, or even economic sanctions.
“The Australian government should openly describe and advocate the actions it may take in response to a serious cybersecurity incident to deter malicious cyber actors from targeting Australia,” the report recommended.
The report also called for “larger, more capable” government departments to help out the cyber defences of smaller agencies.
Related Coverage More

Image: Sydney Rae

The Department of Veterans Affairs (VA) has disclosed today a security breach during which the personal information of around 46,000 veterans was obtained by a malicious third-party.
Officials said the breach took place after “unauthorized users” accessed an online application managed by the VA Financial Services Center (FSC).
The VA said the hackers used “social engineering techniques” and exploited the “authentication protocol” to gain access to the FSC app and then divert VA payments intended for healthcare providers for the­ medical treatment of US veterans.
While officials are still investigating the incident, the VA believes that the hackers might have also accessed veteran records, including Social Security numbers.
“To protect these Veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information,” the VA said in a press release on Monday. “The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.”
To prevent further intrusions and possible payment order hijacks, VA officials said they took down the compromised FSC app and do not intend to bring it back up until after a “comprehensive security review.”
This is the second security breach announced by the VA in its history. The first one took place in 2006 when an unknown party stole a laptop and an external hard drive containing the personal records of 26 million veterans during an employee’s house robbery. A subsequent Inspector General report found the VA guilty for acting “with indifference and little sense of urgency” after the loss of the computer hardware. More

More than 2,000 Magento online stores have been hacked over the weekend in what security researchers have described as the “largest campaign ever.”
The attacks were a typical Magecart scheme where hackers breached sites and then planted malicious scripts inside the stores’ source code, code that logged payment card details that shoppers entered inside checkout forms.
“On Friday, 10 stores got infected, then 1,058 on Saturday, 603 on Sunday and 233 today,” said Willem de Groot, founder of Sanguine Security (SanSec), a Dutch cyber-security firm specialized in tracking Magecart attacks.
“This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015,” de Groot added. “The previous record was 962 hacked stores in a single day in July last year.”
Most stores were running an EOL version
The SanSec exec said that most of the compromised sites were running version 1.x of the Magento online store software.
This Magento version reached end-of-life (EOL) on June 30, 2020, and is currently not receiving security updates anymore.
Ironically, attacks against sites running the now-deprecated Magento 1.x software were anticipated since last year when Adobe — which owns Magento — issued the first alert in November 2019 about store owners needing to update to the 2.x branch.
Adobe’s initial warning about impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa over the spring.
In our coverage of the Mastercard and Visa alerts, several experts in the web security community told this reporter that new Magento 1.x vulnerabilities hadn’t been spotted in a while, which was uncharacteristic, as the 1.x branch was old and was riddled with security holes.
At the time, those security experts believed that hackers were intentionally sitting on their Magento 1.x exploits and waiting for the EOL to come around, to make sure Adobe wouldn’t patch their bugs.
It seems those experts were right.
While de Groot hasn’t yet identified how hackers broke into the sites that have been targeted over the weekend, the SanSec founder said that ads for a Magento 1.x zero-day vulnerability had been posted on underground hacking forums last month, confirming that hackers had waited for the EOL to come around.
In the ad, a user going by the name of z3r0day offered to sell a remote code execution (RCE) exploit for $5,000, an offer that was deemed credible at the time.

Image: SanSec
The good news is that since November 2019, when Adobe started urging Magento owners to migrate to the newer branch, the number of Magento 1.x stores has gone down from 240,000 to 110,000 in June 2020, and to 95,000 today.
The pace is slow, but it’s believed that many of the stores that haven’t been updated are most likely abandoned and have very low user traffic. Nonetheless, some high-trafficked sites are still running the 1.x branch and relying on web application firewalls (WAFs) to stop attacks.
That’s a risky strategy that, while it may be PCI compliant, may not be a smart decision in the long run.
In related news, Adobe also announced last week that it partnered with SanSec to integrate the security firm’s database of more than 9,000 Magento malware signatures into the Magento backend, as part of the Security Scan tool. More