Information Technology

Image: SWIFT
Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks; the SWIFT financial organization said in a report last week.
“Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods,” said SWIFT, the organization that runs the SWIFT inter-bank messaging system used by almost all banks across the world to wire funds across borders.
These traditional methods include the use of money mules, front companies, cash businesses, and investments back into other forms of crime, such as drug trade or human trafficking.
Past cases of cryptocurrency use to launder stolen bank funds
SWIFT saud that incidents where hackers laundered money via cryptocurrencies have been rare and far between.
One example listed in the organization’s report is the case of a criminal gang who performed an ATM cashout attack. SWIFT says the gang converted the stolen cash funds into cryptocurrency rather than use money mules to buy and re-sale expensive products with the stolen cash, as most other similar groups tend to operate.
Another example is an Eastern European gang who set up their own bitcoin farm in East Asia. The gang used funds stolen from banks to operate the farm, generate bitcoin, and then spent the minted bitcoin in Western Europe. When the gang was arrested, SWIFT said authorities found 15,000 bitcoins valued at USD$109 million, two sports cars and jewelry worth USD$557,000 at the house of the group leader.
Another case where cryptocurrency was used to launder stolen bank funds includes Lazarus Group, a group of hackers operating for the benefit of the North Korean government. SWIFT said the group stole money from banks, converted it into cryptocurrency, moved the cryptocurrency assets across different exchanges to hide its origin, and then converted the crypto-assets back into fiat currency and had it sent to North Korea.
But that’s not all. SWIFT also said it seen “some cases” where hackers used stolen bank funds to buy and load prepaid cryptocurrency cards with funds. These are real debit cards that can store cryptocurrency instead of real (fiat) money, and these cards can be used with special ATMs to withdraw cryptocurrency back into fiat currency, or they can be used for real-world card transactions.
SWIFT said several financial platforms in Europe and the UK had been used to load prepaid cards with bitcoin, which were subsequently used to purchase jewelry, cars, and property with stolen funds.
Use of cryptocurrency expected to rise
But SWIFT says these are only edge cases when compared to the number of incidents and the volume of stolen funds that are being laundered through traditional methods.
Nevertheless, SWIFT believes that the use of cryptocurrency for laundering stolen bank funds will rise in the future.
Favorable factors include the growing number of altcoins (alternative cryptocurrencies) that have recently launched and which focus on providing full transaction anonymity.
In addition, criminals are also increasingly seen using services like mixers and tumblers that obscure the source of cryptocurrency transactions by blending stolen/laundered funds with large amounts of other legitimate transactions.

Further, SWIFT also warns about the emergence of online marketplaces where users can sign up with nothing but an email address — hiding their identities — and then purchase high-end products, land, and real-estate assets across the world, such as expensive watches, jewelry, gold bars, fine art, luxury penthouses, and tropical islands.
These three factors provide increased anonymity to criminal groups that traditional methods like money mule gangs and front companies can never provide, and the reason why SWIFT believes more groups will eventually adopt cryptocurrencies to launder stolen bank funds.
Traditional methods reign supreme
Nonetheless, SWIFT says that, for the time being, most stolen bank funds are being laundered through tried and tested techniques.
The stolen funds usually come from (1) attacks on a bank’s money transferring system, or (2) attacks against a bank’s ATM systems and related infrastructure.
These funds are usually laundered using an assortment of techniques, such as money mules, front companies, cash businesses, cryptocurrencies, and investments back into other forms of crime. Some groups might rely on one technique, while others may combine multiple.

Image: SWIFT
Over time, these techniques have advanced. In its “Follow The Money” report [PDF] last week, SWIFT highlighted the ingenuity of some money laundering tactics that have been recently observed in the wild. Some of these techniques include:
The broad use of various categories of money mules. This includes money mules that willingly receive funds into their accounts and then forward it to a criminal, money mules who use fake IDs to open accounts on behalf of hacker groups, money mules who collect money from cashed-out ATMs, and money mules that re-ship items bought with the stolen funds.
Increased focus on recruiting money mule from the ranks of young adults seeking to fund higher education and adults recently out of work.
The use of legitimate job ads to recruit money mules, sometimes in western countries, with many of these individuals unwittingly working for fake companies set up by criminal gangs.
Some criminal gangs sell access to hacked bank accounts, which are then used to launder money without the owner’s knowledge.
In other cases, some gangs set up legitimate bank accounts to be used as recipients for stolen funds, sometimes months in advance of a hack to give the accounts more legitimacy.
In case banks employ a know-your-customer (KYC) policy and apply due diligence when setting up new accounts, some criminal groups recruited insiders at financial institutions to evade or undermine this process.
Some gangs also used front companies set up in foreign territories to avoid international sanctions.
Most front companies are often set up in jurisdictions that are known for strong banking secrecy laws or for poor enforcement of money laundering regulations (such as the East Asia region).
Gangs who handle cash funds stolen from ATMs usually prefer dealing with cash businesses, where they can buy expensive products to be resold later.
Casinos are also emerging as an excellent medium for money laundering, as crooks buy betting chips with the stolen funds, and then convert the chips back into fiat currency to obtain a cheque with the casino’s name on it, standing for a legitimate transaction/source of the funds.
These and more are detailed in the SWIFT report.
“The aim of this report is to illuminate the techniques used by cyber criminals to ‘cash out’ so that SWIFT’s global community of over 11,000 financial institutions, market infrastructures and corporates can better protect themselves,” SWIFT said. More

A database belonging to the Digital Point webmaster forum leaked the records of over 800,000 users. 

San Diego, California-based Digital Point describes itself as the “largest webmaster community in the world,” bringing together freelancers, marketers, coders, and other creative professionals. 
On July 1, the WebsitePlanet research team and cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak. 
See also: Intel investigating breach after 20GB of internal documents leak online
According to the team, names, email addresses, and internal user ID numbers were made publicly available. 
In addition, internal records and user post details were stored in the open database. While examining the database to find out who the owner was, the researchers stumbled across sets of data relating to forum members who flagged posts and the reasons behind these reports — including allegations of “bad business dealings,” spam, and other reasons, some described as appearing to be “petty and personal.”

Aside from the usual security ramifications of user data theft and phishing, the database could have become one of many to succumb to Meow Bot, an automated script that was responsible for the compromise of thousands of unsecured MongoDB and Elasticsearch databases in July. Once the script has been deployed, it overrides data with numbers and the word “meow.”
CNET: Online-voting company pushes to make it harder for researchers to find security flaws
“One of the dangers of a non-password protected database is that it is a sitting target waiting to be stolen, encrypted, or deleted,” the team says. 
Fowler sent a responsible disclosure notice to Digital Point on July 1, the same day the leak was discovered, by way of a suitable email address found within the database. The alert was taken seriously and access to the database was revoked within hours. 
However, the forum did not communicate with the researchers or respond to follow-up requests. 
TechRepublic: Apple will release iOS 14 without this privacy feature: What iPhone users and developers need to know
ZDNet has reached out to Digital Point and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Service NSW has revealed that the personal information of 186,000 customers was stolen because of a cyber attack earlier this year on 47 staff email accounts.  
Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which compromised of 3.8 million documents, was stolen from the email accounts.
The one-stop-shop agency assured, however, there was no evidence that individual MyServiceNSW account data or Service NSW databases were compromised during the cyber attack.
“This rigorous first step surfaced about 500,000 documents which referenced personal information,” Service NSW CEO Damon Rees said.
“The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications.
“Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.
“We are sorry that customers’ information was taken in this way.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia  
Service NSW said it would now progressively notify affected customers by sending personalised letters via registered post containing information about the data that was stolen and how they could access support, including access to an individual case manager to help with possibly replacing some documents. The agency expects to complete notifying customers in December.
“Our focus is now on providing the best support for approximately 186,000 customers and staff we’ve identified with personal information in the breach,” Rees said.
Service NSW also revealed that NSW Police is currently carrying out an investigation into the incident, which has been labelled as a “criminal attack”. 
A review by the NSW auditor-general into Service NSW’s cybersecurity defences, practices, systems, and education is also underway.
Service NSW said in light of the incident, it has added additional security measures to protect against future attacks, such as partnering with IDCare that will provide the agency with additional “cyber support”.
“We have accelerated our cybersecurity plans and the modernisation of legacy business processes to keep customer information as safe as possible,” it said.  
Last week, it was revealed information on thousands of New South Wales driver’s licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open. 
Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.  
In June, the New South Wales government committed AU$240 million to bolster the government’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce. 
Alongside this, the state government announced intentions to stand up a sector-wide cybersecurity strategy and is calling for industry submissions to help shape it. 
“The 2020 NSW Cyber Security Strategy will ensure the NSW government continues to provide secure, trusted, and resilient services in an ever-changing and developing environment,” Minister for Customer Service Victor Dominello said.
“The new strategy will be delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens.”
Related Coverage
NSW pledges AU$60m to create cyber ‘army’
As part of the New South Wales government’s AU$240 million commitment to all things cyber.
New South Wales to implement sector-wide cybersecurity strategy
With help from industry, the new document will supersede the 2018 strategy.
Australian government pledges 10-year, AU$1.35 billion cyber kitty
AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate. More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The vast majority of reports published by the cyber-security industry focus on high-end economic espionage and state-sponsored hacking topics, ignoring threats to civil society and creating a distorted view of the actual cyber threat landscape that later influences policy-makers and academic work.
In an article published in the Journal of Information Technology & Politics, a team of academics made up of some of today’s biggest names in cyber-security and internet research fields analyzed 700 cyber-security reports published over the last decade, between 2009 and 2019.
“The reports we collected were derived from two types of sources: first, commercial threat intelligence vendors (629 reports), and second, independent research centers (71 reports),” academics said.
In addition, the team also examined helpline data from AccessNow, a digital rights advocacy group, in order to understand the true digital threats, as reported by the end-users themselves.
The research team — made up by eminent names in the cyber-security field such as  Lennart Maschmeyer, Ronald J. Deibert, and Jon R. Lindsay — found that only 82 of the 629 commercial reports (13%) discussed a targeted threat to civil society.
Of these 82, only 22 reports placed a threat to civil society at the center of their investigations, with the rest 607 commercial reports focusing on cybercrime gangs and nation-state actors (APT groups).
In contrast, most of the reports produced by independent research centers were focused on the threats to civil society.
Cyber-security reports are driven by profits
Maschmeyer, Deibert, and Lindsay believe this is because cyber-security firms are driven by their bottom lines, and the reports they put out serve “as much as advertising as [threat] intelligence.”
“Commercial reporting is driven by specific business interests that determine what gets reported, and what does not,” the research trio said.
Cyber-security firms — chasing large enterprise customers and government contracts — primarily focus on investigating cybercrime, economic espionage, and critical infrastructure sabotage, but ignore threats to individual, minorities, or the civil society as a whole.
“High end threats to high-profile victims are prioritized in commercial reporting while threats to civil society organizations, which lack the resources to pay for high-end cyber defense, tend to be neglected or entirely bracketed,” the research team said.
“This situation constitutes a market failure that leaves those most in need of accurate information about threats – vulnerable civil society actors – least well-informed,” they added.
Since commercial cyber-security firms are behind most of today’s cyber-security reports, the research trio says this current state of affairs produces “a systematic bias in reporting” that is likely to “impact perception among both policy-makers and researchers” and end up affecting government policies, national state defense strategies, and academic work in the long run.
Best example: 2016 US Presidential Election
The best example of this theory, which researchers published back in June, is the 2016 US Presidential Election.
US cyber-security agencies expected nation-state entities to hack campaigns, which it happened, but most of the actual damage was done through social media influence campaigns aimed at the civil society.
“This Russian influence campaign focusing on individuals and civil society caught most scholars and policy-makers off guard; it did not correspond to prevailing threat models focusing on critical infrastructure disruption and large-scale digital espionage,” Maschmeyer, Deibert, and Lindsay said. More

Following a 9-month search, the Australian Digital Health Agency (ADHA) has appointed Amanda Cattermole as its new CEO. 
She will take over from Bettina McMahon, who stepped in as interim CEO at the start of February, following the resignation of Tim Kelsey. 
Kelsey worked in the CEO role for three years before leaving the post. 
Cattermole was most recently the COO of Services Australia. She was also previously the interim CEO of Services Australia and held deputy secretary roles at the agency when it was called the Department of Human Services. 
“Amanda Cattermole is held in the highest regard across the public service and health sector and will bring a depth of knowledge and capability to the role of CEO at a time when digital health has never been more important,” ADHA board chair Dr Elizabeth Deveny said.
During her time at Services Australia, the department kicked off a data-matching program of work that saw the automatic issuing of debt notices to those in receipt of welfare payments through the Centrelink scheme. 
The program, colloquially known as robo-debt, automatically compared the income declared to the Australian Taxation Office against income declared to Centrelink, which resulted in debt notices and a 10% recovery fee being issued whenever a disparity in government data was detected.
One large error in the system, however, was that it incorrectly calculated a recipient’s income, basing fortnightly pay on their annual salary rather than taking a cumulative 26-week snapshot of what an individual was paid.
Since admitting to getting around 470,000 debts wrong, Services Australia estimated that it needed to refund around AU$721 million back to Australians.
Cattermole will commence her new role on September 29.
More ADHA Coverage More

techrepublic cheat sheet

Millions of WordPress sites have been probed and attacked this week, Defiant, the company behind the Wordfence web firewall said on Friday.
The sudden spike in attacks happened after hackers discovered and started exploiting a zero-day vulnerability in “File Manager,” a popular WordPress plugin installed on more than 700,000 sites.
The zero-day was an unauthenticated file upload vulnerability[1, 2] that allowed an attacker to upload malicious files on a site running an older version of the File Manager plugin.
It’s unclear how hackers discovered the zero-day, but since earlier this week, they began probing for sites where this plugin might be installed.
If a probe was successful, the attackers would exploit the zero-day and upload a web shell disguised inside an image file on the victim’s server. The attackers would then access the web shell and take over the victim’s site, ensnaring it inside a botnet.
Millions of sites have been probed, attacked
“Attacks against this vulnerability have risen dramatically over the last few days,” said Ram Gall, Threat Analyst at Defiant.
The attacks started slow, but intensified throughout the week, with Defiant recording attacks against 1 million WordPress sites, just on Friday, September 4.
In total, Gall says Defiant blocked attacks against more than 1.7 million sites since September 1, when the attacks were first discovered.
The 1.7 million figure is more than half of the number of WordPress sites using the Wordfence web firewall. Gall believes the true scale of the attacks is even much larger, as WordPress is installed on hundreds of millions of sites, all of which are probably being gradually probed and hacked.
The good news is that the File Manager developer team created and released a patch for the zero-day on the same day it learned about the attacks. Some site owners have installed the patch, but, as usual, others are lagging behind.
It is this slowness in patching that has recently driven the WordPress developer team to add an auto-update feature for WordPress themes and plugins. Starting with WordPress 5.5, released last month, site owners can configure plugins and themes to auto-update themselves every time a new update is out and make sure their sites are always running the latest version of a theme or plugin and staying safe from attacks. More

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems.
Discovered by security researchers from NVISO Labs, this malware gang — which they named Epic Manchego — has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document.
But NVISO said these weren’t your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates.
Malicious Excel files were compiled with EPPlus
According to NVISO, this was because the documents weren’t compiled in the standard Microsoft Office software, but with a .NET library called EPPlus.
Developers typically use this library part of their applications to add “Export as Excel” or “Save as spreadsheet” functions. The library can be used to generate files in a wide variety of spreadsheet formats, and even supports Excel 2019.
NVISO says the Epic Manchego gang appears to have used EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format.
OOXML spreadsheet files lack a portion of compiled VBA code, specific to Excel documents compiled in Microsoft’s proprietary Office software.
Some antivirus products and email scanners specifically look for this portion of VBA code to search for possible signs of malicious Excel docs, which would explain why spreadsheets generated by the Epic Manchego gang had lower detection rates than other malicious Excel files.
This blob of compiled VBA code is usually where an attacker’s malicious code would be stored. However, this doesn’t mean the files were clean. NVISO says that the Epic Manchego simply stored their malicious code in a custom VBA code format, in another part of the document. This code was also password-protected to prevent security systems and researchers from analyzing its content.

Image: NVISO
But despite using a different method to generate their malicious Excel documents, the EPPlus-based spreadsheet files still worked like any other Excel document. 
Active since June
The malicious documents (also called maldocs) still contained a malicious macro script. If users who opened the Excel files allowed the script to execute (by clicking the “Enable editing” button), the macros would download and install malware on the victim’s systems.
The final payloads were classic infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user’s browsers, emails, and FTP clients, and sent them to Epic Machengo’s servers.
While the decision to use EPPlus to generate their malicious Excel files might have had some benefits, in the beginning, it also ended up hurting Epic Manchego in the long run, as it allowed the NVISO team to very easily detect all their past operations by searching for odd-looking Excel documents.
In the end, NVISO said it discovered more than 200 malicious Excel files linked to Epic Manchego, with the first one dating back to June 22, this year.

Image: NVISO
NVISO says this group appears to be experimenting with this technique, and since the first attacks, they have increased both their activity and the sophistication of their attacks, suggesting this might see broader use in the future.
Nevertheless, NVISO researchers weren’t totally surprised that malware groups are now using EPPlus.
“We are familiar with this .NET library, as we have been using it since a couple of years to create malicious documents (“maldocs”) for our red team and penetration testers,” the company said.
Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel files are available in NVISO Labs’ Epic Manchego report. More

3D rendering of a satellite orbiting the earth with illuminated cities at night. Map From: http://planetpixelemporium.com/earth.html Software for rendering: https://www.blender.org
Getty Images/iStockphoto

The White House has published today a new directive detailing a list of recommendations and best practices for protecting space systems from cyber-threats and cyber-attacks.
The new rules, detailed in Space Policy Directive-5 (SPD-5), are meant to establish a cybersecurity baseline for all space-bound craft, systems, networks, and communications channels built and operated by US government agencies and commercial space entities.
US officials fear that US entities active in space might face cyber-attacks that may “deny, degrade, or disrupt space operations, or even destroy satellites.”
“Examples of malicious cyber activities harmful to space operations include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and conducting denial-of-service attacks,” said officials.
According to SPD-5, these threats could be mitigated through a set of best practices, already well-established, and applied in other industry sectors.
Update mechanisms, encryption, physical security
For starters, officials say that space systems must include “the ability to perform updates and respond to incidents remotely” and that these features must be integrated space vehicles during the design phase, before launch.
Space systems and supporting infrastructure must also be developed and operated by engineers with cyber-security training, the White House said.
“Effective and validated authentication or encryption” should also be used for protecting command, control, and telemetry functions from unauthorized entry.
The same command, control, and telemetry functions — used by ground operators to control spacecraft — should also come with protections against communications jamming and spoofing, US government officials said.
This implies using signal strength monitoring programs, secured transmitters and receivers, authentication, or “effective, validated, and tested encryption.”
But cybersecurity best practices shouldn’t be applied just for spacecraft and their communications channels. Securing the ground stations from where these communications are managed is just as important.
For example, ground stations should enforce the logical or physical segregation of IT networks, patch systems regularly, apply physical security access rules, enforce restrictions on the use of portable media inside their networks, use antivirus software, and train staff accordingly, including against insider threats.
Furthermore, threats to US space systems should also be analyzed down the supply chain as well. This includes tracking manufactured parts, requiring sourcing from trusted suppliers, and identifying counterfeit, fraudulent, and malicious equipment that may introduce unforeseen cybersecurity risks.
In case threats are detected, the operators of US space systems should also work to share threat, warning, and incident information with industry partners via Information Sharing and Analysis Centers (ISACs).
And since we’re talking about spacecraft, where size and weight matters, cybersecurity systems and measures should also be designed not to impair missions by affecting space vehicle size, weight, mission duration, or other technical mission requirements.
Speaking at a press conference on Friday, White House officials said the new SPD-5 directive and the recommendations they made should help US space entities set up basic protections against cyber-threats, which “happen all the time” and “not just from China but also non-state actors.”
Officials said these cyber-threats “occur with concerning regularity.” More