Network security

Biden administration bans Kaspersky software sales and sanctions the company’s executives

The Biden administration is set to ban the sale of Kaspersky’s products in the US, citing national security concerns over the firm’s ties to the Russian government. The ban is aimed at mitigating the risks of Russian cyberattacks, as the renowned software’s privileged access to computer systems could allow it to steal sensitive information or install malware. The new rule, which leverages powers created during the Trump administration, will also add Kaspersky to a trade restriction list, barring US suppliers from selling to the company.

These restrictions, effective from 29 September, will halt new US business for Kaspersky 30 days after the announcement and prohibit downloads, resales, and licensing of the product. The decision follows a long history of regulatory scrutiny, including a 2017 Department of Homeland Security ban on Kaspersky products from federal networks due to alleged ties with Russian intelligence. Efforts by Kaspersky to propose mitigating measures were deemed insufficient to address these risks.

Furthermore, the U.S. Treasury Department sanctioned twelve executives and senior leaders from Kaspersky on Friday, marking another punitive measure against the cybersecurity company. The Office of Foreign Assets Control (OFAC) targeted the company’s chief operating officer, top legal counsel, head of human resources, and leader of research and development, among others. However, the company itself, its parent and subsidiary companies, and its CEO, Eugene Kaspersky, were not sanctioned.

This action follows a final determination by the Commerce Department to ban the Moscow-based company from operating in the U.S., citing national security risks and concerns about threats to critical infrastructure.

Why does it matter?

Another reaction from the authorities stresses the administration’s strategy to counter potential cyber threats amid the ongoing conflict in Ukraine. And while the impact of the entity blacklisting on Kaspersky’s operations remains to be seen, it appears now that it could significantly affect the company’s supply chain and reputation. Kaspersky, which operates in over 200 countries, has previously denied all accusations and, in response to these restrictive measures, has been operating a networks of Transparency Centers under its Global Transparency Initiative (GTI) where the company provides its source code for an external examination.

Financial sector faces phishing attacks targeting Microsoft 365 accounts

According to a recent report by BleepingComputer, organisations within the financial sector have been targeted in a sophisticated attack campaign since February, where employees’ Microsoft 365 accounts were compromised using the ONNX phishing-as-a-service platform, suspected to be a revamped version of the Caffeine phishing kit. 

The attackers, posing as human resources departments, sent deceptive emails regarding salary updates with PDF attachments containing QR codes. Upon scanning these codes, recipients were redirected to a counterfeit Microsoft 365 login page undetected by standard phishing protections. EclecticIQ’s findings reveal that login credentials and two-factor authentication tokens entered on these fake pages were extracted by the attackers for subsequent email account hijacking and data theft activities. 

The ONNX PhaaS platform, accessible through Telegram, not only offers customisable Microsoft Office 365 phishing templates and various webmail services but also employs encrypted JavaScript code, Cloudflare services, and a bulletproof hosting service to evade detection.

Philippine Maritime Authority hit by system breach

The Maritime Industry Authority (MARINA) in Philippines, a government agency responsible for integrating the development, promotion, and regulation of the maritime industry in the country, acknowledged on Monday that its online platforms encountered a security breach during the weekend. The breach impacted four of MARINA’s systems, prompting an immediate response from the agency to ensure the security of its data.

Upon detecting the attack, MARINA swiftly deployed personnel to its central office in Manila’s Port Area on Sunday. The agency highlighted its quick actions in implementing protective measures. Presently, MARINA’s IT team is working in conjunction with the Department of Information and Communications Technology-Cybercrime Investigation and Coordinating Center (DICT-CICC) to probe the breach and mitigate potential risks to sensitive information.

While MARINA did not disclose the specific systems affected or the extent of the breach, these systems handle crucial data such as vessel registrations, seafarers’ information documents, and record books. As the regulatory body overseeing maritime activities, MARINA aims to have its systems fully operational by Tuesday to resume normal processing of applications.

This security incident adds to a string of cyberattacks targeting Philippine government entities. In May, the Philippine National Police (PNP) halted its online services following breaches that impacted its Logistics Data Information Management System and the Firearms and Explosives Office. Furthermore, in October 2023, a ransomware attack compromised the data of over 13 million members of the Philippine Health Insurance Corp.

UnitedHealth discloses potential theft of data from one-third of Americans

The Centres for Medicare and Medicaid Services have announced the discontinuation of a program designed to assist Medicare providers and suppliers impacted by disruptions at UnitedHealth’s technology division, Change Healthcare. 

Initiated in response to a hack at Change Healthcare on February 21st by threat actor ‘BlackCat’, the program will now cease accepting new applications as of July 12. It has distributed over $2.55 billion in expedited payments to 4,200 providers such as hospitals and $717.18 million to suppliers including doctors, non-physician practitioners and durable medical equipment suppliers, with a significant portion of these funds already recovered. Providers are now able to effectively submit claims to Medicare.

The cyber incident in February affected a key player in processing medical claims. The US Change Healthcare handles approximately half of all medical claims in the United States, serving about 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories, adding to the growing cyber threat posed to the healthcare industry.

Mediabank faces legal action in Australia over massive data breach

Following the 2022 Mediabank’s cyber incident, the Office of the Australian Information Commissioner has initiated legal proceedings against the company, alleging the significant data breach impacted a vast number of customers, including 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers, totalling 9.7 million individuals. 

While Mediabank initially blamed a third party contractor and a ‘misconfigured firewall’ for the incident, a federal court case in Australia has revealed that the breach originated from an IT service desk operator at Medibank who stored multiple account credentials on his work computer which provided a gateway for a hacker to illicitly access Medibank’s systems. The hacker exploited this access for nearly two months and managed to extract a substantial amount of personal data, estimated at around 520GB.

The breach was aggravated by the absence of multi-factor authentication on Medibank’s Global Protect VPN, a security loophole that had been previously flagged in reports by KPMG and Datacom in 2020 and 2021. The Office of the Australian Information Commissioner has criticised Medibank for failing to promptly address these known security vulnerabilities. Legal action has been taken against Medibank in response to the breach. Moreover, the government has identified the alleged perpetrator as a Russian citizen named Aleksandr Gennadievich Ermakov and will be imposing sanctions against him under the new autonomous sanctions law. The incident stresses the critical importance of proactive risk mitigation strategies to safeguard sensitive customer information from malicious cyber threats.

Report uncovers hackers now use emojis to command malware

Researchers from the cybersecurity firm Volexity have uncovered a sophisticated cyber threat that uses the popular Discord messaging service for command and control (C2) purposes. That was discovered during a targeted cyber attack on the Indian government this year, where a malicious software named Disgomoji was deployed. The attack was attributed to a suspected Pakistani threat actor known as UTA0137. The group uses emojis for C2 communication on the Discord platform, showcasing a new covert approach to conduct espionage campaigns against Indian government entities.

The Disgomoji malware, tailored to target Linux systems, specifically the custom BOSS distribution used by the Indian government is highly sophisticated in its design and execution. Initial access to the targeted systems was believed to have been gained through phishing attacks, leveraging decoy documents as bait. Once infiltrated, the malware established dedicated channels within Discord servers, with each channel representing an individual victim. That setup allowed the threat actor to interact with each victim separately, enhancing the precision and effectiveness of the attack.

Upon activation, Disgomoji initiated a check-in process, transmitting crucial system information such as IP address, username, hostname, operating system details, and current working directory to the attacker. The malware exhibited persistence mechanisms which ensured its survival through system reboots and allowed it to maintain a covert presence within the compromised systems. Communication between the attacker and the malware was facilitated through an emoji-based protocol or in other words, with commands issued via emojis. For instance, as Disgomoji executes the command, it responds with a “⏰” emoji, and upon completion, it shows the “✅.”

Why does it matter?

The malware’s capabilities extended beyond basic communication, including advanced functionalities such as network scanning using tools like Nmap, network tunnelling through Chisel and Ligolo, and data exfiltration via file sharing services. Disgomoji also employed deceptive tactics, masquerading as a Firefox update to deceive victims into sharing sensitive information like passwords. 

Volexity’s attribution to a Pakistan-based threat actor was supported by various indicators, including Pakistani time zones in the malware sample, infrastructure links to known threat actors in Pakistan, the use of the Punjabi language, and the selection of targets aligned with Pakistan’s strategic interests. The detailed analysis stresses the evolving sophistication of cyber threats and the critical importance of robust cybersecurity measures to safeguard against such malicious activities.

IOC implements AI for athlete safety at Paris Olympics

The International Olympic Committee (IOC) will deploy AI to combat social media abuse directed at 15,000 athletes and officials during the Paris Olympics next month, IOC President Thomas Bach announced on Friday. With the Games set to begin on 26 July, more than 10,500 athletes will compete across 32 sports, generating over half a billion social media engagements.

The AI system aims to safeguard athletes by monitoring and automatically erasing abusive posts to provide extensive protection against cyber abuse. That initiative comes amid ongoing global conflicts, including the wars in Ukraine and Gaza, which have already led to social media abuse cases.
Russian and Belarusian athletes, who will compete as neutral athletes without their national flags, are included in the protective measures. The IOC did not specify the level of access athletes would need to grant for the AI monitoring.

Despite recent political developments in France, including a snap parliamentary election called by President Emmanuel Macron, Bach assured that preparations for the Olympics remain on track. He emphasised that both the government and opposition are determined to ensure that France presents itself well during the Games.

US lawmakers press Microsoft president on China links and cyber breaches

At Thursday’s House of Representatives Homeland Security panel, Microsoft President Brad Smith addressed tough questions about the tech giant’s security measures and connections to China. The scrutiny follows a significant breach last summer when China-linked hackers accessed 60,000 US State Department emails by infiltrating Microsoft’s systems. Additionally, earlier this year, Russia-linked cybercriminals spied on emails of Microsoft’s senior staff, further intensifying concerns.

Lawmakers criticised Microsoft for failing to prevent these cyberattacks, which exposed federal networks to significant risk. They highlighted a report by the Cyber Safety Review Board (CSRB) that condemned Microsoft for lack of transparency regarding the China hack, labelling it preventable. Smith acknowledged the report’s findings and stated that Microsoft acted on most of its recommendations. He emphasised the growing threat posed by nations like China, Russia, North Korea, and Iran, which are increasingly sophisticated and aggressive in their cyberattacks.

During the hearing, Smith defended Microsoft’s role, saying that the US State Department’s discovery of the hack demonstrated the collaborative nature of cybersecurity. However, Congressman Bennie Thompson expressed dissatisfaction, stressing that Microsoft is responsible for detecting such breaches. Given its substantial investments there, panel members also inquired about Microsoft’s operations in China. Smith noted that the company earns around 1.5% of its revenue from China and is working to reduce its engineering presence in the country.

Despite facing significant criticism over the past year, some panel members, including Republican Congresswoman Marjorie Taylor Greene, commended Smith for accepting responsibility. In response to the CSRB’s findings, Microsoft has pledged to prioritise security above all else, launching a new cybersecurity initiative in November to bolster its defences and ensure greater transparency moving forward.

Apple refuses bug bounty to Kaspersky researchers despite iPhone spy vulnerabilities disclosure

Apple has declined to award a bug bounty to Kaspersky, the cybersecurity company, after disclosing four zero-day vulnerabilities in iPhone software. These vulnerabilities were reportedly exploited to spy on Kaspersky employees and diplomats from Russia. A spokesperson for Kaspersky stated that their research team believed their findings were eligible for Apple’s Bug Bounty rewards. However, upon inquiry, they received a decline from Apple’s Security team, citing the company’s policy.

Bug bounties serve as incentives for researchers to disclose vulnerabilities to companies, rather than selling them to malicious actors. Kaspersky’s disclosure last year revealed a highly sophisticated spying campaign dubbed ‘Operation Triangulation.’ Eugene Kaspersky, the company’s CEO, described it as ‘an extremely complex, professionally targeted cyberattack’ affecting several dozen iPhones of top and middle-management employees.

The campaign, suspected to be state-sponsored due to its sophistication and intelligence-focused targeting, utilised 13 separate bullet points in its attack chain. Simultaneously, Russia’s Federal Security Service (FSB) accused the United States and Apple of collaborating to spy on Russian diplomats.

The FSB’s allegations aligned with Russia’s computer security agency’s claim that both campaigns shared the same indicators of compromise. A critical concern was a vulnerability known as CVE-2023-38606, which affected an unusual hardware feature unused by iOS firmware. Kaspersky suggested it may have been included in the iPhone operating system mistakenly or for debugging purposes. Apple refuted claims of collaboration with any government to insert backdoors into its products, emphasising its commitment to user privacy and security.

Japanese Prime Minister urges legislation for pre-emptive cyber defense system

Japanese Prime Minister Fumio Kishida has directed his government to expedite the drafting of legislation to establish an active cyber defense system, enabling pre-emptive measures against cyberattacks. Addressing the inaugural meeting of an expert panel convened at the prime minister’s office, Kishida emphasised the pressing need to bolster the country’s cyber response capabilities.

The government of Japan aims to present the proposed legislation during the upcoming extraordinary parliamentary session scheduled for autumn. During the meeting, Digital Transformation Minister Taro Kono outlined three critical areas for discussion – enhancing information sharing between the public and private sectors, identifying servers involved in cyberattacks, and determining the extent of governmental authority.

Kono urged the panel consisting of 17 experts such as specialists on cybersecurity and lawyers to provide progress reports on these issues within the coming months, highlighting the urgency of addressing cybersecurity challenges. Kono highlighted the importance of establishing a system on par with those of the United States and European nations, while also safeguarding the rights and interests of the people.