Pete Recommends Weekly highlights on cyber security issues May 31, 2020

Subject: ‘Hundreds of millions of dollars’ lost in Washington to unemployment fraud amid coronavirus joblessness surge
Source: The Seattle Times

Washington state officials have acknowledged the loss of “hundreds of millions of dollars” to an international fraud scheme that hammered the state’s unemployment insurance system and could mean even longer delays for thousands of jobless workers still waiting for legitimate benefits.Suzi LeVine, commissioner of the state Employment Security Department (ESD), disclosed the staggering losses during a news conference Thursday afternoon. LeVine declined to specify how much money was stolen during the scam, which is believed to be orchestrated from Nigeria. But she conceded that the amount was “orders of magnitude above” the $1.6 million that the ESD reported losing to fraudsters in April.

LeVine said state and law enforcement officials were working to recover as much of the money as possible, though she declined to say how much had been returned so far. She also said the ESD had taken “a number of steps” to prevent new fraudulent claims from being filed or paid but would not specify the steps, to avoid alerting criminals.

“We do have definitive proof that the countermeasures we have put in place are working,” LeVine said. “We have successfully prevented hundreds of millions of additional dollars from going out to these criminals and prevented thousands of fraudulent claims from being filed.”

Subject: Ransomware deploys virtual machines to hide itself from antivirus software
Source: ZDNet

The operators of the RagnarLocker ransomware are running Oracle VirtualBox to hide their presence on infected computers inside a Windows XP virtual machine.The operators of the RagnarLocker ransomware are installing the VirtualBox app and running virtual machines on computers they infect in order to run their ransomware in a “safe” environment, outside the reach of local antivirus software.

This latest trick has been spotted and detailed today by UK cyber-security firm Sophos and shows the creativity and great lengths some ransomware gangs will go to avoid detection while attacking a victim.

What’s RagnarLocker?

Avoiding detection is crucial because RagnarLocker is not your typical ransomware gang. They’re a group that carefully selects targets, avoiding home consumers, and goes after corporate networks and government organizations only.

Sophos says the group has targeted victims in the past by abusing internet-exposed RDP endpoints and has compromised MSP (managed service provider) tools to breach companies and gain access to their internal networks.

Instead of running the ransomware directly on the computer they want to encrypt, the RagnarLocker gang downloads and installs Oracle VirtualBox, a type of software that lets you run virtual machines.

The group then configures the virtual machine to give it full access to all local and shared drives, allowing the virtual machine to interact with files stored outside its own storage.

The next step is to boot up the virtual machine, running a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.

The final phase is to load the ransomware inside the virtual machine (VM) and run it. Because the ransomware runs inside the VM, the antivirus software won’t be able to detect the ransomware’s malicious process.

An overview of the entire RagnarLocker ransomware, including its VM trick, is available in Sophos’ recent report.

Subject: Pro-Privacy Lawmakers Secure a Vote to Protect Browsing Data From Warrantless FBI Collection
Source: Gizmodo

In a hard-fought victory for privacy reformers, the U.S. House of Representatives is now expected to vote as early as Wednesday on an amendment that would explicitly prohibit the warrantless collection of internet search and browsing history without a warrant, sources tell Gizmodo.The decision comes after a week of difficult negotiations between Democratic leaders, who’ve overwhelmingly opposed the vote, and progressives and libertarian-leaning lawmakers who’ve found commonality through a mutual disdain for unbridled government surveillance.

Politico first reported on the agreement to allow a vote.

Though their political views greatly diverge on other matters, the two lawmakers have rallied a powerful coalition of supporters in Washington and beyond. Their focus has been to amend the USA FREEDOM Reauthorization Act, which will reinstate several surveillance tools that expired on March 15, including the collecting of “business records” under Section 215 of the Patriot Act.

Among those pushing to curb warrantless surveillance, several major tech companies signed a letter on Thursday urging Pelosi to allow a vote on the Lofgren-Davidson amendment. Apple, Facebook, Google, and Microsoft—members of the Reform Government Surveillance coalition—wrote that search and browsing history provides “a detailed portrait of our private lives,” including information about “medical conditions, religious beliefs, and personal relationships.”

Subject: Reality bites: Data privacy edition
Source: Help Net Security

May 25 2020 is the second anniversary of the General Data Protection Regulation (GDPR) and data around compliance with the regulation shows a significant disconnect between perception and reality.Only 28% of firms comply with GDPR; however, before GDPR kicked off, 78% of companies felt they would be ready to fulfill data requirements. While their confidence was high, when push comes to shove, complying with GDPR and GDPR-like laws – like CCPA and PDPA – are not as easy as initially thought.

Data privacy efforts

While crucial, facing this growing set of regulations is a massive, expensive undertaking. If a company is found out of compliance with GDPR, it’s looking at upwards of 4% of annual global turnover. To put that percentage in perspective, of the 28 major fines handed down since the GDPR took effect in May 2018, that equates to $464 million dollars spent on fines – a hefty sum for sure.

Additionally, there is also a cost to comply – something nearly every company faces today if they conduct business on a global scale. For CCPA alone, the initial estimates for getting California businesses into compliance is estimated at around $55 billion dollars, according to the State of California DoJ. That’s just to comply with one regulation.

Here’s the reality: compliance is incredibly expensive, but not quite as expensive as being caught being noncompliant. This double-edged sword is unfortunate, but it is the world we live in. So, how should companies navigate in today’s world to ensure the privacy rights of their customers and teams are protected without missing the mark on any one of these regulatory requirements?

So, what are the key takeaways? Make your data privacy efforts just as central as the rest of your security strategy. Ensure it is holistic and takes into account all facts and overlaps in the various regulations we’re all required to comply with today. Only then do you stand a chance at protecting your customers and your employees’ data and dodge becoming another news headline and a tally on the GDPR fine count.

More about

Subject: Thousands of enterprise systems infected by new Blue Mockingbird malware gang
Source: ZDNet

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird.Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019.

Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component.

Some attacks pivot to internal networks. Red Canary experts say that if the public-facing IIS servers are connected to a company’s internal network, the group also attempts to spread internally via weakly-secured RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.

Subject: Don’t Be Fooled by Covid-19 Contact-Tracing Scams
Source: WIRED

“There’s no question, contact tracing plays a vital role in helping to stop the spread of Covid-19,” Colleen Tressler, an FTC consumer education specialist wrote in an alert on Tuesday. “But scammers, pretending to be contact tracers and taking advantage of how the process works, are also sending text messages. Theirs are spam text messages that ask you to click a link. Don’t take the bait.”

The malicious text messages can include links that either download malware onto your device with one click or take you to a phishing page that tricks you into inputting personal data or a password. One sample SMS scam provided by the FTC reads, “Someone who came in contact with you tested positive or has shown symptoms for Covid-19 & recommends you self-isolate/get tested.” It then prompts the target to learn more by tapping a URL. Such malicious texts could also direct you to call a fake hotline to continue the ruse and grab your information there.

“Because there hasn’t been a lot of communication yet about what an ‘official’ contact-tracing notice would look like, users have few ways to ascertain whether what they received is a scam,” says Jake Williams, a security consultant and founder of the firm Rendition Infosec. “This is only complicated by the fact that messages might differ across regions, health departments, etc.”

Subject: Johns Hopkins releases report on digital contact tracing to aid COVID-19 response
Source: Johns Hopkins via beSpacific

“Leading global experts contributed to the report, which offers clear guidance and recommendations on ethics and governance as digital technologies are developed to fight the pandemic: “Johns Hopkins University today released a comprehensive report to help government, technology developers, businesses, institutional leaders, and the public make responsible decisions around use of digital contact tracing technology, including smartphone apps and other tools, to fight COVID-19. Digital Contact Tracing for Pandemic Response—a report led by JHU’s Berman Institute for Bioethics in collaboration with the Center for Health Security at Johns Hopkins, as well as leading experts worldwide—highlights the ethical, legal, policy, and governance issues that must be addressed as digital contact tracing technologies, or DCTT, are developed and implemented. The report’s primary conclusions and recommendations advise that…”

Download Full Book

Subject: A flood of coronavirus apps are tracking us. Now it’s time to keep track of them
Source: MIT Tech Review via beSpacific

MIT Technology Review – Our Covid Tracing Tracker project will document them. “…When we began comparing apps around the world, we realized there was no central repository of information; just incomplete, constantly changing data spread across a wide range of sources. Nor was there a single, standard approach being taken by developers and policymakers: citizens of different countries were seeing radically different levels of surveillance and transparency. So to help monitor this fast-evolving situation, we’re gathering the information into a single place for the first time with our Covid Tracing Tracker—a database to capture details of every significant automated contact tracing effort around the world. We’ve been working with a range of experts to understand what we need to look at, pulling sources including government documents, announcements, and media reports, as well as talking directly to those who are making these apps to understand the technologies and policies involved…So far we have documented 25 individual, significant automated contact tracing efforts globally, including details on what they are, how they work, and what policies and processes have been put in place around them…The most accessible version of the database exists on the page you are reading right now, and on Flourish, a data visualization service. A public version of the underlying data is kept in this read-only spreadsheet, which we update once a day at 6 p.m. US Eastern Time…”

MIT Tech Review topic:


Subject: NSA Releases Advisory on Sandworm Actors Exploiting an Exim Vulnerability
Source: DHS CISA vis US-CERT

The National Security Agency (NSA) has released a cybersecurity advisory on Russian advanced persistent threat (APT) group Sandworm exploiting a vulnerability—CVE-2019-10149—in Exim Mail Transfer Agent (MTA) software. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.Although Exim released a security update for the MTA vulnerability in June 2019, Sandworm cyber actors have been exploiting this vulnerability in unpatched Exim servers since at least August 2019 according NSA’s advisory, which provides indicators of compromise and mitigations to detect and block exploit attempts.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to upgrade to the latest version of Exim and review NSA’s Advisory: Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors and Exim’s page on CVE-2019-10149 for more information.

Subject: Coronavirus stimulus payments mistaken for junk mail; IRS issues clarification

The Internal Revenue Service issued a statement Wednesday clarifying that 4 million taxpayers are receiving delivery of Economic Impact Payments as debit cards rather than as paper checks or direct deposits — and that they are being sent in plain white envelopes bearing no official U.S. government markings.

“No idea if this is any indication of others’ experiences with their coronavirus stimulus money, but I almost threw mine out with the junk mail,” he said, adding that his name printed on the envelope and the card were incorrect.

Posted in: Cybercrime, Cyberlaw, Cybersecurity, Economy, Financial System, Government Resources, KM, Legal Research, Privacy, Technology Trends, Viruses & Hoaxes