Richard Giddey

The Super SA data hack impacted thousands but took two months to come to light. Here’s what we know – ABC News

The Super SA data hack impacted thousands but took two months to come to light. Here's what we know - ABC News

“It’s simply not good enough.”

That’s how South Australian treasurer Stephen Mullighan reacted in parliament on Wednesday when he was asked about a cyber security breach involving government superannuation provider Super SA.

Information linked to more than 14,000 members was accessed by hackers about two months ago.

But Mr Mullighan said he only found out about the incident less than a fortnight ago.

It’s the second time in less than two years that private data from a state government agency, held by a third-party firm, has been illegally accessed.

In November 2021, hackers hit payroll provider Frontier Software, impacting more than 90,000 public servants.

Here’s what we know about the latest cyber security breach so far.

Cyber attack related to 2019 breach

The government said the most recent security breach stemmed from a previous cyber attack involving Super SA in November 2019.

Data pertaining to 14,011 Super SA members was accessed during the hack.

The data was accessed while in the keeping of Adelaide-based company Contact 121, the government says.(Four Corners: Cyber War)

To help respond to members caught up in the incident, Super SA hired the services of a call centre — Adelaide-based company Contact 121 — in 2020.

After its contract with Super SA ended, the government said, Contact 121 kept data about the members and about two months ago that information was accessed.

The government said Super SA became aware of the latest cyber security incident on September 1 this year, but it didn’t receive confirmation that a breach had occurred until October 4.

It said all members who were implicated in the 2019 cyber breach were also impacted by this latest attack.

Treasurer Stephen Mullighan says he was not informed of the breach for weeks.(ABC News: Che Chorley)

Mr Mullighan told parliament last week the Department of the Premier and Cabinet was informed of the latest cyber breach on August 18, but he was only told on Thursday, October 12.

“Government agencies need to do a much, much better job at firstly, trying to insulate themselves as best they can against these attacks in the first place, but secondly respond to them in a timely, thorough and appropriate way,” he said on Wednesday.

Government still investigating breach

Mr Mullighan said the government was investigating why Contact 121 had retained Super SA members’ data on its systems.

“That raises … a series of further questions — what requirements are there for these agencies to not continue holding government data on their ICT systems after they complete doing work for government?” he told parliament on Wednesday.

“It is absolutely clear that the way in which these incidents have been managed is not good enough because it’s causing the exposure of sensitive South Australians’ data to be exposed to illegal access.”

The government says Super SA became aware of the hack in September.(Reuters: Samantha Sais)

On Thursday, Mr Mullighan told parliament the government no longer used Contact 121’s services.

“We are unaware of other government agencies using them post-2020,” he said.

“The advice I have is that we are not aware of government agencies continuing to use this company to date.”

Meanwhile, Super SA told its members on Monday that it was taking “an abundance of caution to secure member accounts”.

“At this stage it is still unknown if any of the Super SA data has been accessed.”

ABC News has contacted Contact 121 for comment.

Experts call for stronger data protection

Adelaide cyber security lawyer Darren Kruse said companies in South Australia and across the country were not legally required to delete client data once they no longer had a practical use for it.

“Obviously they have a duty of care to hold information securely and safely,” he said.

“But there’s no specific laws about curation of data or the method for holding it.”

Mr Kruse said the SA government had published a discretionary set of guidelines outlining how government agency data is collected, used, transmitted and managed, but he described it as “out of date”, having been authored in 2018.

“The data breach problem is not going away,” he said.

Macquarie University cyber security studies expert Jeff Foster told ABC Regional Drive it could take “quite a while” for companies impacted by breaches to find out what information had been compromised.

“In this case with South Australian Super we don’t actually know what was taken or if any personal-identifying information was taken at all,” Dr Foster said.

“It can be extremely difficult to figure out exactly what was stolen in a breach, what was accessed and how it was accessed.”

Opposition spokesperson Heidi Girolamo says cyber security is just as important in the public sector.(ABC News)

Opposition spokesperson Heidi Girolamo said it’s important there’s investment from the government when it comes to protecting data from hackers and that policies “always need constant review and improvement”.

“Clearly after this breach that we are seeing now it does highlight gaps that need to be addressed,” she said.

“It is an area that is changing every single day.

“It’s an area of focus right across the private sector and I think the public sector needs to ensure that they have the right systems in place.”

This content was originally published here.

The Super SA data hack impacted thousands but took two months to come to light. Here’s what we know – ABC News Read More »

ToddyCat hackers use ‘disposable’ malware to target Asian telecoms

ToddyCat hackers use 'disposable' malware to target Asian telecoms

A newly discovered campaign dubbed “Stayin’ Alive” has been targeting government organizations and telecommunication service providers across Asia since 2021, using a wide variety of “disposable” malware to evade detection.

Most of the campaign’s targets seen by cybersecurity firm Check Point are based in Kazakhstan, Uzbekistan, Pakistan, and Vietnam, while the campaign is still underway.

The attacks appear to originate from the Chinese espionage actor known as ‘ToddyCat,’ which relies on spear-phishing messages carrying malicious attachments to load a variety of malware loaders and backdoors.

Stayin Alive victims
Stayin Alive targets (Check Point)

The researchers explain that the threat actors use many different types of custom tool, which they believe are disposable to help evade detection and prevent linking attacks to each other..

“The wide set of tools described in this report are custom-made and likely easily disposable. As a result, they show no clear code overlaps with any known toolset, not even with each other,” explains Check Point.

Attack starts with an email

The attack begins with a spear-phishing email crafted to target specific individuals in key organizations, urging them to open the attached ZIP file.

The archive contains a digitally signed executable named to match the email context and a malicious DLL that exploits a vulnerability (CVE-2022-23748) in Audinate’s Dante Discovery software to side-load  the “CurKeep” malware on the system.

CurKeep infection chain
CurKeep infection chain (Check Point)

CurKeep is a 10kb backdoor that establishes persistence on the breached device, sends system info to the command-and-control (C2) server, and then waits for commands.

The backdoor can exfiltrate a directory list for the victim’s Program Files, indicating what software is installed on the computer, execute commands and send the output to the C2 server, and handle file-based tasks as instructed by its operators.

Beyond CurKeep, the campaign utilizes other tools, mainly loaders, executed primarily through similar DLL side-loading methods.

Notable ones include the CurLu loader, CurCore, and CurLog loader, each with unique functionalities and infection mechanisms.

CurCore is the most interesting of the secondary payloads, as it can create files and populate their contents with arbitrary data, execute remote commands, or read a file and return its data in base64 encoded form.

Another notable backdoor that stands out from the rest is ‘StylerServ,’ which acts as a passive listener that monitors traffic on five ports (60810 through 60814) for a specific XOR-encrypted configuration file (‘stylers.bin’).

Threads listening on five ports
Threads listening on five ports (Check Point)

The report does not specify the exact functionality or purpose of StylerServ or stylers.bin, but it is likely part of a stealthy configuration serving mechanism for other malware components.

Check Point reports that “Stayin’ Alive” uses various samples and variants of these loaders and payloads, often tailored to specific regional targets (language, filenames, themes).

The security company says the newly identified cluster is likely a segment of a broader campaign involving more undiscovered tools and attack methods.

Judging from the wide variety of distinct tools seen in the attacks and their level of customization, these appear to be disposable.

Despite the code differences in those tools, they all connect to the same infrastructure, which Kaspersky previously linked to ToddyCat, a group of Chinese cyber spies.

Update 10/12 – Shortly after publishing this report, Kaspersky posted an update on its tracking of the ToddyCat APT, highlighting new attack methods and payloads its analysts discovered recently.

Over the past year, Kaspersky observed a parallel cluster of activity from the same threat actor, different from the one seen by Check Point, with two attack variants employing legitimate VLC executables to load malware using the DLL sideloading technique.

A notable malware deployed in these attacks is ‘Ninja Agent,’ which features file management, reverse shell, process management, and more.

Other tools ToddyCat deployed in these attacks include LoFiSe (file tracker and stealer), Cobalt Strike (penetration testing suite), DropBox Uploader, and a passive UDP backdoor.

Related Articles:

This content was originally published here.

ToddyCat hackers use ‘disposable’ malware to target Asian telecoms Read More »

New threat report reveals true dominance of ransomware

Elastic has announced its second Elastic Global Threat Report, issued by Elastic Security Labs. Based on observations from more than 1 billion data points over the last 12 months, the report reveals ransomware is expanding and diversifying; more than half of all observed malware infections were on Linux systems; and credential access techniques have become an essential part of the cloud intrusion process.

Malware Trends

The majority of malware observed was composed of a small number of highly prevalent ransomware families and commercial off-the-shelf (COTS) tools. As financially motivated threat communities adopt or offer malware-as-a-service (MaaS) capabilities, enterprises should heavily invest in developing security functions with broad visibility of low-level behaviours to expose previously undiscovered threats.

BlackCat, Conti, Hive, Sodinokibi and Stop are the most prevalent ransomware families we identify through signatures, amounting to about 81% of all ransomware activity.

COTS malware capabilities like Metasploit and Cobalt Strike represented 5.7% of all signature events. On Windows, these families amounted to about 68% of all infection attempts.

Around 91% of malware signature events came from Linux endpoints, while Windows endpoints accounted for only about 6%.

Endpoint Behaviour Trends

The most sophisticated threat groups evade security by withdrawing to edge devices, appliances, and other platforms where visibility is at its lowest. As never before, the report highlights the need for enterprises to evaluate the tamper-resistant nature of their endpoint security sensors and consider monitoring projects to track vulnerable device drivers used to disable security technologies. In addition, organisations with large Windows environments should track vulnerable device drivers to disable these essential technologies.

When looked at together, Execution and Defence Evasion make up more than 70% of all endpoint alerts.

Elastic observed the most discreet techniques on Windows endpoints, being the top target by adversaries with 94% of all endpoint behaviour alerts, followed by macOS at 3%.

macOS-specific credential dumping was responsible for an astounding 79% of all credentials access techniques by adversaries, an increase of approximately 9% since last year. Of these attempts, we observed that Windows environments where ProcessDump.exe, WriteMiniDump.exe, and RUNDLL32.exe were used more than 78% of the time.

Cloud Security Trends

As enterprises increasingly migrate on-premises resources to hybrid or entirely cloud-based environments, threat actors are taking advantage of misconfigurations, lax access controls, unsecured credentials, and no functional principle of least privilege (PoLP) models. Organisations can dramatically reduce the risk of compromise by implementing the security features that their cloud providers already support and monitoring for common credential abuse attempts.

For Amazon Web Services, Elastic observed defence evasion (38%), credential access (37%), and execution (21%) as the most common tactics mapped to threat detection signals.

53% of credential access events were tied to compromised legitimate Microsoft Azure accounts, while Microsoft 365 experienced a high rate of credential access signals, accounting for 86%, and 85% of Google Cloud threat detection signals were related to defence evasion.

Discovery accounted for approximately 61% of all Kubernetes-specific signals, predominantly related to unexpected service account requests that were denied.

“Today’s threat landscape is truly borderless, as adversaries morph into criminal enterprises focused on monetising their attack strategies,” says Jake King, head of security intelligence and director of engineering at Elastic.

“Open source, commodity malware, and the use of AI have lowered the barrier to entry for attackers, but were also seeing the rise of automated detection and response systems that enable all engineers to better defend their infrastructures,” he says.

“It is a cat-and-mouse game, and our strongest weapons are vigilance and the continued investment in new defence technologies and strategies.”

This content was originally published here.

New threat report reveals true dominance of ransomware Read More »

Cybersecurity ops not an immediate priority for CIOs

One in five CIOs believe cybersecurity ops are not an immediate priority, according to new research.

In April 2023, Acora conducted a survey that revealed insights into the changing responsibilities of Chief Information Officers (CIOs), focusing on mid-market companies. The research included 126 decision-makers from financial services companies and aimed to identify the difficulties and modifications that resulted from the transition to a hybrid work model after the pandemic.

The evolving role of CIOs

The survey findings revealed that 65% of IT leaders believe that hybrid working has elevated their role within their respective organisations, and 61% reported additional responsibilities such as direct involvement in due diligence activities. The study underscores the vital position of cybersecurity within organisations, with 67% of respondents listing it as their top focus area.

This signifies the continued significance of cybersecurity, an issue that previous reports have highlighted as the “big, scary cybersecurity monster”.

Investment in cybersecurity

IT budgets are another focal point in the survey. While 55% of IT leaders predict an increase in their budgets in the coming year, this marks a significant drop from last years prediction of 77%. The use of Managed Service Providers (MSPs) is also on the rise, with 92% of respondents planning to work with them this year.

However, there are concerns about MSPs’ ability to support their company’s growth strategy, with 48% expressing apprehension.

Integrated cyber security and IT operations

The role of Managed Service Providers (MSPs) is also projected to increase, with 92% planning to collaborate with MSPs. However, there is some concern about these providers’ ability to support the company’s growth strategy, with 40% expressing concern and 8% certain they will need to look for other providers.

Diverse patterns are emerging in the management of cybersecurity operations across different organisations.

Interestingly, one in five (20%) respondents indicated that although cybersecurity operations are not an immediate priority, they plan to look into it in the future.

These outsourcing organisations face two significant challenges. Firstly, they need to identify a trusted partner with the right capabilities and reputation that aligns with their current business needs and future growth plans. Secondly, they must navigate the complexities of managing multiple third-party providers.

Finding a single partner that can address IT and cybersecurity operations could allow these companies to reap the same benefits as those that control these functions as a single in-house team.

Focus areas for cybersecurity

Cybersecurity threats are becoming increasingly sophisticated, with attackers using targeted methods to inflict reputational and operational damage. While technology tools are helpful, the complexity of threats necessitates skilled professionals. However, maintaining an in-house team with the required specialities is often neither practical nor affordable, leading organisations to work with external experts.

The unfolding AI narrative adds to the current climate of uncertainty, requiring IT leaders to step up and guide organisations about its implications and opportunities.

“AI isnt difficult technically,” says Chief Information Officer Lee Ganly.

“The challenges are around intellectual property, security, and policy issues. Its hard to predict where AI will sit in the wider IT landscape, even this time next year. All we can say for certain is its going to be a fascinating journey.”

This content was originally published here.

Cybersecurity ops not an immediate priority for CIOs Read More »

6 simple cybersecurity rules you can apply now

If you’re an IT pro or a serious PC hobbyist, computers are as logical as Mr. Spock. If you’re a human being without a technical background, the average Windows error message might as well be written in Klingon.

For that latter audience, computer security often devolves into magical thinking. That’s unfortunate because the reality is that most of the things you can do to protect yourself online are about simple psychology and basic human behavior.

When a business network is compromised with ransomware, the culprit is rarely an evil genius hacker. The source of the problem is usually far more mundane: Someone was fooled by a clever bit of social engineering.

For anyone who’s responsible for training others to avoid being online victims, the secret is not to explain how buffer overflows and code injection work.

Instead, help those people focus on how to approach PCs with a healthy dose of skepticism and build up some basic situational awareness. I’ve reduced the lesson plan to six simple rules, all written in plain language.

1. Don’t panic

A grizzled veteran of the computer security industry once shared a priceless piece of wisdom with me: “Don’t just do something. Stand there.”

Oh, wait. That wasn’t a security expert, it was the White Rabbit in Disney’s 1951 animated production of Alice in Wonderland. But it’s still good advice.

The natural human reaction when you see a potential threat is to panic and immediately try to do something to solve it. If you get an email alerting you that your credit card’s about to be charged $480 to renew your non-existent Geek Squad subscription or that your computer is infected with ransomware, you might be tempted to call the toll-free number in that email. That will, of course, connect you to a call center staffed by bad actors who will happily take your credit card details and process some real charges.

Scammers thrive by making people panic. Take the time you need to figure out what the real threat is before you do anything.

2. Don’t open unknown attachments

Many potential security threats arrive in the form of email attachments. Sometimes they’re executable files, but these days they’re just as likely to be Word documents, PDFs, or HTML files. They might be capable of running exploit code, or they might be simply an attempt to convince you to enter credentials for an email or bank account.

If you receive an attachment from someone you don’t know, the last thing you should do is open it. Even if the attachment appears to be from someone you know, it pays to be cautious, especially if the message is unexpected. The sender’s account information might be spoofed, or their account might be compromised.

If you suspect an attachment is malicious or if a message contains a link to a suspicious site, consider uploading it to Virus Total. That free, trusted site (owned by a subsidiary of Google) scans your submission against 70 antivirus engines and a variety of other security-related services and can alert you if it’s known to be malicious or it’s a false positive.

3. Don’t click unsolicited links, either

Social engineering works by exploiting people’s trust. A scammer who puts even minimal effort into a phishing attempt can do a creditable job of mimicking a legitimate email and crafting links that look close enough to the real thing to fool you.

If you receive an email that makes you think, “Hmmm, that doesn’t look right,” your spidey sense is working. Trust it.

And even if the message doesn’t have any obvious red flags, it’s still OK to be suspicious, especially if you’re being asked to click a link to do something you didn’t ask for. When in doubt, don’t click that link; instead, use a bookmark you’ve saved for the site in question or type the URL directly to do whatever you need to do.

4. You don’t need to pay for security software

The security software industry wants you to be afraid. As part of that effort, they try their best to convince you that the core protections built into your PC, Mac, or mobile device cannot possibly be as good as the product they sell.

That might have been true two decades ago, but it’s certainly not true today. Most third-party security software developed for use by consumers offers only marginal extra protection, at best. That’s especially true for buzzy features like “Dark Web monitoring.”

If you’re an enterprise network administrator, you can probably benefit from software and services that give you greater visibility into what your users are doing as well as what’s happening on the periphery of your network. For your personal PC, save your money.

5. Don’t mess with a perfectly good PC (or Mac)

When it comes to keeping your computer secure, I have a slightly different take on the classic management advice: “If it ain’t broke, don’t break it.”

Drive-by exploits might get all the headlines, but the sad fact is that most malware arrives on PCs because someone willingly, even eagerly, chose to install it.

Maybe they downloaded a cracked program from a sketchy download site, or maybe they followed a sponsored link from a search engine and grabbed a program that included a bundle of adware or even malware in addition to the app they were looking for.

The obvious solution? Don’t install random apps.

If you need to check out a program, and you have Windows 11 Pro or Enterprise, try running it in the Windows Sandbox. If you’ve never heard of this feature, here’s how I described it when Windows 11 was released:

It allows you to instantly spin up a secure virtual machine without any complex setup. The VM is completely isolated from your main system, so you can visit a suspicious website or test an unknown app without risk. When you’re done, close the sandbox, and it vanishes completely, removing all traces of your experiment.

It’s a killer feature, and one you should know about.

6. Use a password manager

I’ve been pounding the table about password managers for years, so I won’t repeat those arguments here. (If you need a refresher, read this: “Forgot password? Five reasons why you need a password manager.”)

But the facts are indisputable: Human beings are terrible at generating random passwords, and it’s literally impossible to remember the kinds of strong, unique credentials that will keep you secure.

In fact, using a password manager makes it easier to navigate the modern internet and keeps you safer. If you’ve been putting off this task because you think it’s too difficult, try my three-step program, which you can implement in 30 minutes or less.

Oh, and while you’re at it, turn on two-factor authentication, too.

This content was originally published here.

6 simple cybersecurity rules you can apply now Read More »

Three Chinese nationals sentenced in Adelaide after using stolen details from phishing scam – ABC News

Three Chinese nationals sentenced in Adelaide after using stolen details from phishing scam - ABC News

Three Chinese nationals living in Australia who used stolen personal information to make fraudulent transactions will be released from prison in a month, while a third will walk free immediately.

Key points:

Renzhong Chen, 31, Sheng Li, 25, and Xiaoxin Zheng, 20, were arrested in November after using details from a phishing scam, which is believed to have affected around 1,800 people across Australia.

The men previously pleaded guilty to more than 180 counts of various offences including identity theft.

The court heard victims had their personal information compromised through a phishing scam linked to the 2022 Optus data breach, where they would be sent text messages with a fake hyperlink posing to be from streaming services such as Spotify, Netflix and Foxtel.

While the three men were not involved in sending any of the messages, they were found to have been responsible for downloading the stolen credit card details which had been illegally uploaded onto the dark web.

Police investigators leaving Port Adelaide Magistrates Court after the sentencing of Renzhong Chen, Sheng Li, and Xiaoxin Zheng.(ABC News)

The men, who had been living in Western Australia, carried out their offending while they were staying at an Airbnb in North Haven, in Adelaide’s north-west.

They were able to use the stolen data in electronic wallets on numerous mobile phones to make fraudulent transactions from stores across Adelaide.

Upon their arrest at the Airbnb, police seized a number of electronic items and found a spreadsheet on Chen’s laptop that included the personal data of 1,800 Australians.

The prosecution identified 28 victims in the case, who had a total of $26,400 stolen.

Magistrate says men caused ‘financial crisis’ to victims

Magistrate Jayanthi Pandya said the victim impact statements of 14 individuals highlighted the “financial crisis” that the offenders caused.

“Make no mistake, the consequences of your actions run deep,” Magistrate Pandya said.

“The distress, the hurt, the inconvenience and the sheer weight of insecurity and terror … that you have begged victims to endure.

“Each of you committed the offences distanced from the pain of victims and you committed it with ease and in a carefree manner.”

The court heard Chen was in contact with another Chinese man in Victoria, who paid them $300 to $400 a day to commit the crimes while they were in South Australia.

It also heard the men had made an effort to “avoid detection” by renting four different vehicles.

Magistrate Pandya said the offending was “extremely serious” given it was on a national scale, and that the need for deterrence to the public was strong.

“You all familiarised yourself in the business of breaching the system,” she said.

“Courts must make it clear to those who play a part in using stolen items of others to their advantage that they will be treated seriously.”

Defence lawyers for Xiaoxin Zheng and Renzhong Chen.(ABC News)

The men will be required to equally pay back the money stolen from the 28 victims.

They will also each be charged $80,000 under the victims of crime levy, substantial fees that the court heard the defendants’ parents would be paying.

Zheng was sentenced to 13 months imprisonment, with a non-parole period of 10 months which was backdated to his initial arrest, meaning he will be eligible for immediate release.

Li was also sentenced to 13 months, with a non-parole period of 12 months taking into account his time served in custody and home detention bail, meaning he will be released in a month’s time.

Magistrate Pandya sentenced Chen on the basis he had a “higher responsibility” in the crimes and was “pivotal to the success of the operation”.

He will also be eligible for release in a month, after being sentenced to one year and five months, with a non-parole period of 12 months.

This content was originally published here.

Three Chinese nationals sentenced in Adelaide after using stolen details from phishing scam – ABC News Read More »

Scammers take over photographer’s Facebook account, prompting cyber security warning – ABC News

Scammers take over photographer's Facebook account, prompting cyber security warning - ABC News

A Queensland photographer says it feels like his business burned down after scammers wiped seven years of images and customer orders from his social media page. 

Key points:

Caloundra man Doug Bazley said the cyber attack took over his Facebook business page using a tactic experts say is becoming more common.

Mr Bazley said the page was lost at the weekend after he clicked on a link sent to his inbox which appeared to be from Meta Platforms, the company that operates Facebook.

“This Meta thing came up and it said to me, you need to go into this link to fix this problem,” Mr Bazley said.

“I hit that link and that was the start of the end, the page just went black, it disappeared.

“Then it changed the profile photo and changed the name and I had no access to my account.”

Mr Bazley said it was devastating to realise he had lost many years of hard work.

“It feels like your business has just burned down,” Mr Bazley said.

“I spent seven years building that and had about 16,000 followers.

“I love to share and post photos of our travels around Australia.

Scale of attacks overwhelm experts

Tahlia Rehua’s hairdressing business at Logan fell victim to the same cyber attack a day after Mr Bazley’s.

“I lost my personal and business pages on Sunday,” Ms Rehua said.

Mr Bazley took images of the social media account after he lost access during the cyber attack.(Supplied: Doug Bazley)

“I got a notification to say my Facebook had been suspended because the account didn’t adhere to the Facebook rules.

“I remember getting a message from Meta Business that I clicked on the day before.”

Ms Rehua said she felt angry that 17 years worth of social media content had been lost.

“I felt pissed off, I knew how many years worth of conversations and posts were lost,” she said.

“But also how much work it was going to take to fix it.”

Cyber support expert Dave Lacey said he felt for the victims as his business was struggling to keep up with demand.

“It’s happening a lot,” Mr Lacey said.

“This is his livelihood, this is his life and it’s just slipping through his fingers.

“The reality is we’d love to be able to help everyone but we can’t we can’t because of the scale, the volume.”

Dave Lacey says his business is struggling to keep up with the volume of people needing help for cyber attacks.(ABC News: Chris Gillette)

Security measures key 

October is Cyber Security Awareness Month, which is an annual reminder for all Australians to stay secure online.

The federal government’s Australian Cyber Security Centre says this year’s focus is on four simple steps people can take to boost their cyber security.

They include updating devices regularly, turning on multi-factor authentication, backing up important files and using pass phrases and password managers.

Mr Bazley hoped his story would serve as a warning to others who relied on social media to run their businesses.

“All I can say is people need to be very aware of what links they get and who they let in,” Mr Bazley said.

“I do all my business on there, I have lost every single contact and there was close on $3,000 worth of calendar orders prepaid and those names and contact details have gone.”

Mr Bazley’s Facebook business account showcased his photography work.(Supplied: Blueys Photography)

Mr Bazley said he had spent many days trying to report the issue to Meta and Facebook without success.

“I’ve not even heard a word from them,” Mr Bazley said.

“I don’t understand why Facebook don’t stop these, when you report them they say, ‘Oh we can’t see any abuse or anything wrong’, it’s just ridiculous.”

‘You’re inviting criminals’

Mr Lacey said social media users, especially business owners, were leaving themselves exposed by not having stricter security controls in place.

“Be very vigilant on what you click online, obviously and not be in a position where you’re inviting criminals in because you’ve clicked on a malicious link,” Mr Lacey said.

“And then they’ve got access to your username and passwords.

“Operate in a way that gives the best chance of survival going forward by having that multi-factor authentication in place.”

Your information is being handled in accordance with the ABC Privacy Collection Statement.

This content was originally published here.

Scammers take over photographer’s Facebook account, prompting cyber security warning – ABC News Read More »

Biden administration goes back to the drawing board on water cybersecurity – The Washington Post

Welcome to The Cybersecurity 202! My cat Julius “Jules” Jonas Jonah Jameson has been extra-angelic of late. He’s always superb, but he’s just on another level of awesomeness recently.

Was this forwarded to you? Sign up here.

Below: The Supreme Court temporarily blocks a social media order, and a sanctioned crypto exchange becomes a hotbed for various illicit financing. First:

With EPA water cyber rule revoked, the administration still has plans to bolster water cybersecurity

After withdrawing a water cybersecurity rule that was facing a legal challenge, the Biden administration plans to seek authority from Congress to bolster digital safeguards for water and wastewater systems, a top national security official told me.

The Environmental Protection Agency last week revoked its March memo on the rule, which would have required states to evaluate the cybersecurity of water systems when conducting sanitation surveys. A court placed a temporary hold on the initiative in July after three GOP state attorneys general filed a petition to review it.

The Biden administration’s national cybersecurity strategy called on agencies to use any existing authorities they have to put in place minimum cybersecurity standards and seek assistance from Congress when they lack authorities. The EPA memo relied on an interpretation of the Safe Drinking Water Act.

“From our perspective, Americans want to know that their water systems are safe, their water systems are secure, that people couldn’t use cyber vulnerabilities to disrupt water systems or cause harm. That’s what’s underpinned the EPA’s rule,” Anne Neuberger, deputy national security adviser for cybersecurity and emerging technology, told me. “Nevertheless, we took stock of the lawsuit and said, ‘let’s take a step back and let’s ensure that we have in place the authorities that EPA needs to ensure that minimum cybersecurity practices are in place for vulnerable water systems across the country.’”  

The Biden administration plans to be pursue its “option B” with the Hill “in the coming weeks,” Neuberger said.

The decision, and what’s next

The attorneys general from Arkansas, Iowa and Missouri contended that, among other things, the EPA rule trampled on states’ rights and would equal increased costs to consumers.

In an Oct. 11 notice about the withdrawal of the rule, the EPA discussed its commitment to water security.

“EPA continues to believe that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water,” the EPA explanation reads. “EPA encourages all states to voluntarily engage in reviewing public water system cybersecurity programs within the sanitary survey or an alternate process to ensure that deficiencies are corrected, and potential public health impacts are minimized.”

The agency said it would continue to provide technical assistance to states and water systems via “risk assessments, subject matter consultations, training, and funding.”

Neuberger also said the administration wouldn’t give up on water cybersecurity in the absence of the rule. “There are resources states can tap into voluntarily to improve the cybersecurity of vulnerable water systems,” she said. “We have highlighted for states the president’s bipartisan infrastructure law money and encouraged them to tap into that to improve the security of their water systems. The EPA has a team set up with cybersecurity experts. They’ve been working to add security experts to their sanitation surveys.”

Advertisement

The administration could, however, encounter some resistance to providing the EPA with new authorities from Republicans who have criticized Biden’s cyber strategy by saying it is over-regulatory.

  • “The Biden Administration must prioritize streamlining existing regulations while working with the private sector to identify new opportunities for partnership, rather than punishment, particularly through their implementation of this Strategy,” House Homeland Security Committee Chairman Mark Green (R-Tenn.) and cybersecurity and infrastructure protection subcommittee chairman Andrew R. Garbarino (R-N.Y.) said in a statement in March when the administration published its strategy.

Neuberger outlined how the administration would appeal to Congress.

“Traditionally, from a national security perspective, we have two oceans on either side of this country, which keeps the homeland safe,” she said. “Cyber doesn’t need a passport and knows no borders. So the importance of protecting homeland critical infrastructure comes to the fore.

“From our discussions with Republican leaders on the Hill who have put a focus on cybersecurity, they’ve always approached it from a bipartisan perspective,” she said.

On the other side

One of the attorneys general who brought the suit, Missouri’s Andrew Bailey, celebrated the EPA’s decision to drop the rule. (The decision was first reported by the Messenger’s Eric Geller.)

“This was yet another attempt by federal bureaucrats to push a rule through a memo instead of going through Congress,” he said on X, formerly known as Twitter. “Missouri will continue to combat government overreach at every turn.”

So, too, did a pair of groups representing the water sector who joined in on the suit, the American Water Works Association (AWWA) and National Rural Water Association.

“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” said the group’s CEO, David LaFrance. “We also recognize that cyberthreats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical. We urge U.S. Congress and EPA to support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”

The two associations are advocating for legislation called the Cybersecurity for Rural Water Systems Act that authorizes $10 million annually from fiscal years 2024 to 2028 to pay for Agriculture Department cybersecurity experts who give technical assistance to rural water and wastewater systems.

The keys
Supreme Court temporarily blocks curbs on White House social media contacts

The Supreme Court on Friday maintained a block on an order imposed by a lower court that acutely restricts certain federal agencies from communicating with social media companies about removing or suppressing posts, ’s Andrew Chung reports.

“Conservative Justice Samuel Alito temporarily put on hold a preliminary injunction constraining how the White House and certain other federal officials communicate with social media platforms pending the administration’s appeal to the Supreme Court,” Chung writes.

  • The U.S. Court of Appeals for the 5th Circuit ruled last month that certain federal agencies, top government health officials and the FBI likely violated the First Amendment by improperly influencing tech firms’ decisions on removing or suppressing posts about covid-19 and elections. 
  • In that ruling, the scope of an injunction connected to the original July 4 order was narrowed to a smaller group of agencies and put communication restrictions on hold for 10 days to give the Biden administration time to appeal to the Supreme Court. But the 5th Circuit on Oct. 3 reversed course and relisted the Cybersecurity and Infrastructure Security Agency as an alleged First Amendment violator.
  • Experts have suggested the case would be a strong candidate for the high court’s review.

The Friday action puts the case on hold until Oct. 20, giving the justices a week to consider the Biden administration’s request to block the injunction from the lower court.

Sandvine ditches encrypted message surveillance tool, lays off project staff

Canadian networking equipment company Sandvine scrapped a plan to market and sell a controversial surveillance tool that would allow law enforcement agencies to track encrypted messaging exchanges, laying off most of the employees involved in the project, ’s Ryan Gallagher reports, citing four people with knowledge of the matter.

  • Gallagher writes: “Sandvine had pitched the new product, called ‘Digital Witness,’ to governments and law enforcement agencies in Europe, the Middle East, Asia and North America. It was marketed as a tool to covertly monitor people’s internet use and encrypted messages sent using popular applications such as Meta Platform Inc.s’ WhatsApp and Signal, according to the people, who asked not to be identified to discuss confidential matters.” The company declined to comment to Bloomberg News when asked about the project’s shuttering.
  • A combination of economic woes and concerns about Sandvine’s previous activities led to the initiative being scrapped, the report adds. The company’s executive solutions officer Samir Marwaha also said in an emailed statement to Bloomberg News that the company laid off about 50 employees in a move made “to better align to serving our customer base.” The layoffs were “directly attributable to the state of the global economy,” he added. Marwaha declined to comment to Bloomberg News about its products or customers.
  • Rather than breaching devices like a typical spyware tool, Bloomberg News reports that Digital Witness was said to be able to gather and analyze troves of encrypted network traffic and metadata from the communications, allowing the tool to predictively model and classify peoples’ messages, voice calls and transactions.

The FBI and Drug Enforcement Administration had expressed interest in trialing the product, as well as authorities in other nations including India, Europe and the United Arab Emirates, the people familiar told Bloomberg. The FBI and DEA declined to comment to the outlet.

Sandvine was at the center of a Washington Post report last month in which prominent Egyptian opposition politician Ahmed Eltantawy — who plans to challenge President Abdel Fatah El-Sisi in elections next year —  was targeted with a zero-day attack designed to install Predator spyware on iPhones.

  • The Biden administration in July blacklisted Cytrox, which makes Predator, as well as Intellexa, the business alliance to which Cytrox belongs. 
  • Researchers said that attempts to infiltrate Eltantawy’s phone involved using Sandvine’s PacketLogic product, which is designed to help internet companies manage and direct network traffic.
Sanctioned Moscow crypto exchange becomes bedrock for various illicit financing

A U.S.-sanctioned cryptocurrency exchange based in Moscow has become a hotbed for various forms of illicit payment schemes, with Russians using the platform to move funds to back cybercriminal activity and Hamas-linked operatives using it to finance their assault in Israel this past week, ’s Angus Berwick reports.

Customer transactions across the platform, known as Garantex, totaled some $665 million in July, an amount over three times greater than what it processed when it was sanctioned, according to the outlet, which cited crypto data provider Coinpaprika.

  • “Garantex’s growing role as a global conduit for illicit funds was underscored this month by evidence that Palestinian militants in part financed their operations through crypto in the lead-up to the Oct. 7 attacks in Israel,” Berwick writes. “Digital wallets controlled by Palestinian Islamic Jihad, which joined Hamas in the attacks, received a portion of $93 million via Garantex, according to analysis by researcher Elliptic, which said Hamas also used a similar financing strategy,” he adds.
  • In Russia, customers deposit rubles at Garantex locations and receive their funds back in crypto in the form of stablecoins that are often pegged to the U.S. dollar. “These can then be withdrawn as traditional currency abroad from a network of local partners, with little trackable record of the transactions,” the report says.

The Treasury Department has previously sanctioned other Russia crypto exchanges in an effort to stave off cybercrime payment networks. But the digital wallet infrastructure allows exchange operators to easily prop themselves up again, the Journal notes. 

The post-sanction Garantex expansion raises questions about how effective the United States’s efforts to foil potential criminal and terror operation funding are. 

  • “A senior Treasury official told the Wall Street Journal the department was closely monitoring Garantex and was working with partners and allies to close it off as a payment channel,” Berwick writes. “Treasury assessed that wealthy Russian individuals were often using Garantex to move money out of the country. The department is considering future action against actors that are using Garantex for cross-border transactions, the official said.”
  • The Atlantic Council convenes a discussion on the information environment of the Israel-Gaza war at noon.
Secure log off

If you brush a cat with a wet toothbrush, it supposedly reminds them of being groomed by their mother pic.twitter.com/yXFfPw6TP1

— Why you should have a cat (@ShouldHaveCat)

Thanks for reading. See you tomorrow.

This content was originally published here.

Biden administration goes back to the drawing board on water cybersecurity – The Washington Post Read More »

Newly discovered Android malware has infected thousands of devices

I’m not one to mince words or make you wait for the payoff, so I’ll get right to the point.

If you’ve purchased a T95 (or similar knockoff) streaming box that runs Android, chances are that your unit was shipped with pre-installed malware. But this isn’t your ordinary piece of malware. Instead, we’re looking at the possibility of two different Trojans: Badbox and Peachpit, both of which are pretty nasty bits of code.

One only needs to look at the extent of Badbox’s spread, which has hit over 74,000 Android devices worldwide. But Badbox isn’t just your average malware. Instead, we’re looking at a rather complex, interconnected series of fraud schemes.

Essentially, Badbox is a collection of firmware back doors that are installed via the regular hardware supply chain. Those devices get distributed into homes. Once booted and connected to a network, those devices immediately connect to what’s called a command-and-control server, where they then receive their instructions.

Badbox works with ad fraud, residential proxy services, fake email and messaging accounts, and the installation of malicious code. Peachpit is the ad fraud component of Badbox and can immediately start serving up ads for low-quality apps that, upon installation, will infect your devices with malicious code.

This sort of attack has been around for years but they’ve grown more and more sophisticated. This time around, the cybercriminal operation (dubbed Badbox by Human Security) was discovered to be quite complex and global.

To make matters worse, Human Security discovered Badbox goes beyond the T95 devices to include seven different set-top boxes (T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G) as well as an Android tablet (the J5-W). These T95 (and knockoff) boxes are inexpensive, costing less than $50, so they can be attractive options for many users. The boxes are often either unbranded or sold under various names (which is a rampant phenomenon found in many online retailers).

Back in January, the first instance of a set-top box shopping with this pre-installed malware was reported. According to that report, the device (called the AllWinner T616 processor) used an Android 10 ROM and, once up and running, would attempt to connect to IP addresses associated with active malware.

With Badbox, over 200 different models of Android devices could be affected.

What can you do?

The solution to this is pretty simple: Don’t buy knockoff set-top boxes or devices. That sounds pretty simple but, in reality, it’s not so easy. When shopping on Amazon, you’ll find a never-ending stream of good deals. When you come across one of those deals that appeals to you, the first thing you should do is research the brand device name.

If you’re looking at a device with a name like AllWinner, look it up. If you can’t find any information on the company, avoid it. If you find information from a reliable source that indicates the brand is both legit and trustworthy, you can continue considering the purchase. Otherwise, don’t even bother putting that item in your shopping cart.

Another thing you can do (which should apply to every aspect of your online usage) is to not click on ads… especially those that include typos, unfamiliar brand names, or offer services that sound too good to be true.

As a rule, I tend to never click on ads and I would suggest you follow suit.

The good news is that Google has confirmed the malicious apps have been removed from the Google Play Store. That doesn’t mean, however, that the Badbox vulnerability isn’t still at large. But if you avoid purchasing knock-off or cheap hardware devices and install only the apps you must have on your phones and tablets, you’ll have a better chance of avoiding such issues.

This content was originally published here.

Newly discovered Android malware has infected thousands of devices Read More »

Malware-Infected Devices Sold Through Major Retailers – Infosecurity Magazine

Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.

The scheme, known as BADBOX, deploys the Triada malware as a “backdoor” on various devices such as CTV boxes, smartphones and tablets during the supply chain process in China.

Human’s Satori Threat Intelligence and Research Team observed more than 74,000 Android-based mobile phones, tablets, and CTV boxes showing signs of infection.

From a technical standpoint, the infected devices can steal personally identifiable information (PII), create fake messaging and email accounts and execute various fraudulent activities. Even after a factory reset, BADBOX-infected devices remain compromised, as the malware connects to a command-and-control (C2) server on first boot.

“The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results,” a Google spokesperson told Infosecurity in an email.

“Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”

Still, according to Human Security, BADBOX’s ability to infiltrate devices sold by trusted e-commerce platforms and retailers makes it particularly dangerous.

“This backdoor operation is deceptive and dangerous because it is nearly impossible for users to tell if their devices are compromised,” commented Human Security’s chief information security officer, Gavin Reid.

“Of the devices Human acquired from online retailers, 80% were infected with BADBOX, which demonstrates how broadly they were circulating on the market.”

Additionally, in November 2022, Human’s Satori Threat Intelligence and Research Team uncovered an “ad fraud module” within BADBOX, hidden ads and fake clicks defrauding advertisers. They also identified a group of Android, iOS and CTV apps, known as PEACHPIT, that conducted similar ad fraud independently of BADBOX.

“The cyber-criminals behind PEACHPIT utilized methods such as hidden advertisements, spoofed web traffic, and malvertising to monetize their scheme and defraud the advertising industry,” said Marion Habiby, data scientist at Human.

Human Security worked with tech giants Google and Apple to disrupt the PEACHPIT operation, sharing information with law enforcement. This collaboration aimed to raise the cost for cyber-criminals and protect the advertising industry from fraudulent schemes.

UPDATE 05/10/2023: The article has been updated to include Google’s comment.

This content was originally published here.

Malware-Infected Devices Sold Through Major Retailers – Infosecurity Magazine Read More »

Scroll to Top