Tag: cybercrime

SA’s cyberspace is under attack

By Luke Daniel for Business Insider

South Africa’s cyberspace has seen an increasing number of attacks linked to a China-based threat actor known as Mustang Panda that’s targeting telecommunications and banks, sometimes through false recruitment sites.

Attacks on South Africa’s vulnerable cyberspace are increasing. Data gathered by cybersecurity company Trellix shows a sustained surge in threats during the first quarter of 2022, which is not entirely unusual considering the holiday-associated lull in December and January.

The nature of these threats and intentions of the cybercriminals are, however, cause for alarm and extra vigilance. Trellix revealed, during its cyber threat intelligence briefing for South Africa on Wednesday, some of the main actors that have been especially active in 2022 so far.

Chief among these is Mustang Panda, also sometimes referred to as “RedDelta” or “Bronze President”.

The China-linked cyber-espionage group has been active for the last decade, but its attacks have increased significantly since the start of the Covid-19 pandemic. Its primary objective has been to gather intelligence on NGOs, non-profits, religious organisations, and think tanks in the United States and Europe.

In 2021, the McAfee Advanced Threat Research (ATR) Strategic Intelligence team, now Trellix, uncovered an espionage campaign targeting telecommunication companies, dubbed Operation Diànxùn. Trellix believes, “with a moderate level of confidence”, that this specific campaign, attributed to Mustang Panda, “has to do with the ban of Chinese technology in the global 5G roll-out.”

“Mustang Panda is quite prolific in South Africa for the last three months,” said Carlo Bolzonello, South Africa country lead for Trellix, during Wednesday’s briefing.

“From a South African perspective, they’ve been very active in the last three months around the banking and wealth management sector.”

Mustang Panda is believed to support the Chinese government, added John Fokker, head of cyber investigations and principal engineer at Trellix.

“In the past, especially in Europe, there was a big debate around 5G and about replacing 5G technology with specific Chinese-built technology at the core. And from a security perspective, this was a big debate,” said Fokker.

“And what we observed was Mustang Panda targeting telecommunications sectors in countries where this debate was most likely. And how they actually did it… they did actually have a fake career site, so we assume they posed as recruiters trying to recruit individuals with technical knowledge within the telecommunications sector and persuade them to open a file and then infect their computer.”

The ultimate goal of this campaign, according to Fokker, was to determine the position of a specific telecommunications company towards Chinese manufacturers.

Although recently noted for its attacks on South Africa’s banking and wealth management sector, Bolzonello added that attacks on the country’s telecommunication sector were also witnessed during the debate around 5G technology.

“Mustang Panda is there to collect data, stick around, and exfiltrate data out and that data could be used for numerous different things,” said Bolzonello.

“So, the risk is quite high with someone like a Mustang Panda that definitely has a reason to be there, in your environment.”

Mustang Panda generally utilises PlugX – part of the Remote Access Trojan (RAT) malware family – disguised as a legitimate file. Once downloaded, Mustang Panda effectively creates a backdoor for remote control of the victim’s device, with the ability to monitor the user’s activity and access data.

 

E-mail attack costs company R100m

By  Myles Illidge for MyBroadband

Email security is becoming an increasingly important aspect of business in South Africa, and in one instance, spoofing resulted in a company losing R100 million to a malicious actor.

In an interview with CliffCentral, e-mail security firm Sendmarc co-founder Sam Hutchinson revealed that a malicious actor’s spoofed email resulted in the funds being paid into the wrong bank account. They have not been recovered.

“The largest loss I have dealt with personally is R100 million. That’s like enough money to never have to work again, and it’s just done with email fraud,” Hutchinson said.

“R100 million paid into the wrong bank account, and the money was lost. Gone.”

He added that the two companies involved in the transaction were now in a legal battle with one another to recover the funds.

Hutchinson said that smaller companies aren’t any less likely to be attacked.

“Now, if we talk about the size of an organisation, I deal with conveyancing companies who are three lawyers, and they are losing home transfers, which can be millions of rands,” he said.

“These are small companies using large amounts of money.”

Hutchinson mentioned that the smallest company he had worked with — a two-person travel agent — had their domain impersonated by an attacker, resulting in a school paying funds for a hockey tour into the wrong account.

“The whole under 16A hockey team didn’t go on tour,” he added.

Malicious actors undertake email spoofing to gain sensitive information or hijack transactions by impersonating organisations using forged email addresses.

Hutchinson explained that one of the best ways to prevent being caught out by email spoofing attacks is to implement Domain-based Message Authentication Reporting and Conformance (DMARC).

“If you look at the Gartner Security Report of two or three years ago, they said that email is one of the top five attack vectors for an organisation,” he said.

“If you look at organisations like the Hague … they say that DMARC is one of the top three things that an organisation must implement of any size.”

DMARC is an email validation system used to protect the domains of organisations from being used for email spoofing, phishing, and other cybercrimes.

Hutchinson explained that DMARC is particularly useful as you can look up an organisation globally, and 50% of JSE-listed companies in South Africa have not implemented DMARC.

“DMARC is the global technical standard that stops attackers sending mail from you,” he said.

However, even though half of JSE-listed companies haven’t implemented DMARC, South Africa is making better progress than the EU and the US.

“If we look at the EU: 70%, if we look at the US: 72%. So, South Africa’s actually doing pretty well,” Hutchinson said.

Hutchinson said that he had noticed that specific sectors, such as mining and manufacturing, traditionally fall behind regarding their security measures, resulting in them being attacked a lot.

“[Regarding] certain sectors, it’s just traditional that their security is not necessarily up to scratch. We see it in some of the industrials and the manufacturing, the security has almost been an afterthought, and they actually get attacked a lot,” he said.

“I see the mining sector getting attacked a lot because they have such huge transaction amounts,” he added.

 

Ransomware is now a one-delivery system

Sophos, a global leader in next-generation cybersecurity, has published the Sophos 2022 Threat Report, which shows how the gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system – with significant implications for IT security.

The report provides a unique multi-dimensional perspective on security threats and trends facing organisations in 2022.

The Sophos 2022 Threat Report analyses the following key trends:

1. Over the coming year, the ransomware landscape will become both more modular and more uniform, with attack “specialists” offering different elements of an attack “as-a-service” and providing playbooks with tools and techniques that enable different adversary groups to implement very similar attacks. According to Sophos researchers, attacks by single ransomware groups gave way to more ransomware-as-a-service (RaaS) offerings during 2021, with specialist ransomware developers focused on hiring out malicious code and infrastructure to third-party affiliates. Some of the most high profile ransomware attacks of the year involved RaaS, including an attack against Colonial Pipeline in the U.S. by a DarkSide affiliate. An affiliate of Conti ransomware leaked the implementation guide provided by the operators, revealing the step-by-step tools and techniques that attackers could use to deploy the ransomware.

Once they have the malware they need, RaaS affiliates and other ransomware operators can turn to Initial Access Brokers and malware delivery platforms to find and target potential victims. This is fuelling the second big trend anticipated by Sophos.

2. Established cyberthreats will continue to adapt to distribute and deliver ransomware. These include loaders, droppers and other commodity malware; increasingly advanced, human-operated Initial Access Brokers; spam; and adware. In 2021, Sophos reported on Gootloader operating novel hybrid attacks that combined mass campaigns with careful filtering to pinpoint targets for specific malware bundles.

3. The use of multiple forms of extortion by ransomware attackers to pressure victims into paying the ransom is expected to continue and increase in range and intensity. In 2021, Sophos incident responders catalogued 10 different types of pressure tactics, from data theft and exposure, to threatening phone calls, distributed denial of service (DDoS) attacks, and more.

4. Cryptocurrency will continue to fuel cybercrimes such as ransomware and malicious cryptomining, and Sophos expects the trend will continue until global cryptocurrencies are better regulated. During 2021, Sophos researchers uncovered cryptominers such as Lemon Duck and the less common, MrbMiner, taking advantage of the access provided by newly reported vulnerabilities and targets already breached by ransomware operators to install cryptominers on computers and servers.

“Ransomware thrives because of its ability to adapt and innovate,” says Chester Wisniewski, principal research scientist at Sophos.

“For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers. This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators. They’re now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered cryptocurrencies. This is distorting the cyberthreat landscape, and common threats, such as loaders, droppers, and Initial Access Brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.

“It is no longer enough for organisations to assume they’re safe by simply monitoring security tools and ensuring they are detecting malicious code. Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks.”

Additional trends Sophos analysed include:

  • After the ProxyLogon and ProxyShell vulnerabilities were discovered (and patched) in 2021, the speed at which they were seized upon by attackers was such that Sophos expects to see continued attempts to mass-abuse IT administration tools and exploitable internet facing services by both sophisticated attackers and run-of-the-mill cybercriminals
  • Sophos also expects cybercriminals to increase their abuse of adversary simulation tools, such as Cobalt Strike Beacons, mimikatz and PowerSploit. Defenders should check every alert relating to abused legitimate tools or combination of tools, just as they would check a malicious detection, as it could indicate the presence of an intruder in the network
  • In 2021, Sophos researchers detailed a number of new threats targeting Linux systems and expect to see a growing interest in Linux-based systems during 2022, both in the cloud and on web and virtual servers
  • Mobile threats and social engineering scams, including Flubot and Joker, are expected to continue and diversify to target both individuals and organisations
  • The application of artificial intelligence to cybersecurity will continue and accelerate, as powerful machine learning models prove their worth in threat detection and alert prioritisation. At the same time, however, adversaries are expected to make increasing use of AI, progressing over the next few years from AI-enabled disinformation campaigns and spoof social media profiles to watering-hole attack web content, phishing emails and more as advanced deepfake video and voice synthesis technologies become available

By Zaini Majeed for Republic World

In a shocking ‘virtual heist’ at a prestigious jewellery company, Russian hackers on Saturday, October 30 stole details of Hollywood stars and billionaire tycoons including Donald Trump, Oprah Winfrey, Tom Hanks, David Beckham, among many other prominent names.

According to several reports, the hackers conducted an online raid at Graff, a famous jewellery outlet, and one identified cybercriminal based near St. Petersburg compromised the personal information of the world’s most famous and influential people, as well as celebrities including Tom Hanks and Oprah Winfrey, UK’s Mirror reported earlier yesterday.

The criminal raid involves close to 600 Brits that are said to be among the victims. Russian hackers managed to leak as many as 69,000 confidential documents and other information on the dark web as they demanded millions in ransom from the London-based jewellery firm.

Another UK based network Mail reported that members of the Russian hacking gang Conti are suspected of the virtual heist. They are now asking the business to pay tens of millions of pounds in ransom money, supposedly in Bitcoins or jewellery. Of the compromised information, many of the credit notes, invoices and client lists from the business have been leaked.

But the information published on the dark web comprises just about 1% of the total stolen files, says the UK outlet. It quoted a former colonel in British military intelligence, Philip Ingram, as saying, “given the profile of the customer database, this is absolutely massive. This is going to bring the highest levels of international law enforcement down on the gang, and that’s going to give them a whole lot of headaches in trying to get the ransom paid and then get away with it.”

Meanwhile, a spokesman for the Information Commissioner’s Office (ICO), who is capable of imposing penalties of up to 4% of company turnover told Mirror: “We have received a report from Graff Diamonds Ltd regarding a ransomware attack.”

Furthermore, he said, ”We will be contacting the organisation to make further enquiries in relation to the information that has been provided.” The jewellery firm Graff’s spokesperson said: “Regrettably we, in common with a number of other businesses, have recently been the target of a sophisticated – though limited – cyber-attack by professional and determined criminals.”

By Carol Hildebrand for CSO

As the COVID-19 pandemic triggered a massive shift in internet usage, cybercriminals quickly pounced, launching more than 10 million distributed denial-of-service (DDoS) attacks aimed at crippling targets with a heavy reliance on online services. Attack frequency spiked 20 percent year over year and 22 percent for the last six months of 2020.

According to the most recent NETSCOUT Threat Intelligence Report, vital pandemic industries such as ecommerce, streaming services, online learning, and healthcare all experienced increased attention from malicious actors targeting the very online services essential to remote work and online life.

The top 10 vertical industries under attack in the second half of 2020 further illustrates the enormous impact COVID-19 has had on DDoS attack activity. Threat actors always have embraced an opportunistic pivot, and this was no exception as they enthusiastically flocked to the ensuing smorgasbord of new opportunities.

The top 10 are:

  1. Wired telecommunications carriers
  2. Data processing, hosting and related services
  3. Wireless telecommunications carriers
  4. Internet publishing and broadcasting
  5. Electronic shopping and mail order houses
  6. Electronic computer manufacturing
  7. All other telecoms
  8. Colleges, universities and professional schools
  9. Software publishers
  10. Computer training

The top three listed sectors fall under the category of Old Faithfuls because attacks on both subscribers and their operational infrastructures are inherent to their role as connectivity providers. However, attackers widened their target profile beyond typical targets as the massive shift to online work and play opened promising new avenues of attack.

For instance, the fourth sector—Internet Publishing and Broadcasting—is by no means a usual suspect in the NETSCOUT top 10. Its presence can be summed up in two words: Netflix and Zoom.

Similarly, online shopping, which grew an impressive 44 percent in 2020, represents another pandemic stalwart that came under increased attack, as did online learning. Interestingly, this activity was seen not only at the usual hot spots of colleges and universities but also at the high school and middle school levels.

With DDoS-for-hire services both readily available and incredibly cheap, it seems likely that budding online delinquents set about playing hooky on an internet scale.

 

Source: OFM

More than 40% of victims of ransomware attacks in South Africa pay the cybercriminals responsible to try to secure or recover their data. But in many cases, the crooks simply disappear with the money.

This is according to a new report from security firm Kaspersky, which said 42% of local ransomware victims coughed up money to recover their data.

Whether they paid or not, only 24% of victims were able to restore all their encrypted or blocked files following an attack. Sixty-one percent lost at least some files; 32% lost a significant amount; and 29% lost a small number of files. Meanwhile, 11% who did experience such an incident lost almost all their data, Kaspersky said.

According to TechCentral, Marina Titova, head of consumer product marketing at Kaspersky, said handing over money doesn’t guarantee the return of data, and only encourages cybercriminals to continue the practice. Kaspersky always recommends that those affected by ransomware should not pay as that money supports this scheme to thrive.

4m African web addresses have been stolen

Source: Business Insider SA

More than four million IP addresses have been misappropriated in what has been called Africa’s greatest internet heist. The extent of the theft, which first drew red flags back in 2016, has now been fully uncovered, revealing a trail of corruption, coverups, and a burgeoning black-market trade.

The results of an internal audit undertaken by the African Network Information Centre (AFRINIC) have finally been made public after almost two years of waiting. AFRINIC, which is responsible for the allocation and management of IP addresses on the continent, began its investigation after being contacted by the United States’ Federal Investigation Bureau (FBI) in 2019.

Four years before the FBI drew attention to the numerous anomalies – and the Supreme Court of Mauritius, where it is headqaurtered, served AFRINIC with an order to investigate – the information centre was tipped off by internet investigator Ron Guilmette.

Guilmette’s collaboration with local tech publication, MyBroadband, resulted in a report which implicated AFRINIC co-founder and engineer Ernest Byaruhanga as the mastermind behind the heist.

In total, 4.1 million IP addresses were stolen, 2.3 million from AFRINIC’s “free pool” and a further 1.7 million “legacy” IP addresses. They were worth around R1.3 billion, according to MyBroadband.

An IP, or Internet Protocol, address allows devices to communicate with each other, by assigning a unique number to each device.

The current generation IPv4 addresses are, however, in seriously short supply. This shortage has, in turn, made IP addresses valuable.

AFRINIC tracks and manages IP addresses through the WHOIS system, which, as the title describes, records who or what is using a specific address. As part of its latest report on the theft, AFRINIC admits that its WHOIS database was severely compromised by internal staff who “acted in collusion with other third parties”.

IPv4 addresses, which were already reserved and in use by major organisations, were effectively hijacked and sold. These reappropriated IP addresses were used to forward spam, breach data records, and compromise websites.

Dozens of South African-based companies and organisations were impacted.

The Free State Department of Education and Anglo American both lost IP addresses to the value of almost R20 million, while the now-defunct Infoplan, which previously managed the Department of Defence’s information systems, was the worst hit, losing addresses worth approximately R80 million.

Three whole IP blocks, equating to almost 200,000 individual addresses, belonging to Woolworths were misappropriated. MyBroadband estimates the value of these stolen addresses to exceed R58 million.

Similarly, three IP blocks belonging to Nedbank – historically associated with Cape of Good Hope Bank Limited, Syfrets, and NBS Bank – were also part of the heist.

Other major South African organisations which had their IP addresses misappropriated include Nampak, Sasol, the City of Cape Town’s Directorate of Information Services, Transnet, and Independent Media’s Argus Holdings.

Approximately 1.5 million IP addresses have been reversed or reclaimed as part of AFRINIC’s audit. Most other addresses are still pending, as the result of a review process determining rightful custodianship.

 

Source: ITWeb

In 2020, Kaspersky detected a global average of 360 000 new malicious files each day, an increase of 5.2%, or 18 000 more, compared to the year before.

According to the security giant, this was influenced largely by a significant growth in the number of Trojans and backdoors, with a 40.5% and 23% increase respectively.

These were the findings of the Kaspersky Security Bulletin: Statistics of the Year Report.

Adware declines
On the plus side, adware is on the decline globally, and this scourge experienced a 35% decrease when compared to the previous year. However, not all regions were so lucky, with some noting an increase. In SA, for example, by the end of October last year, the average adware notifications per user increased slightly to over 33 in comparison to 32 for the whole of 2019.

It was also expected that for the duration of 2020, more than 256 000 South Africans would have been hit with adware.

The vast majority of malware detected, nearly 90%, occurred via Windows PE files – a file format specific to Windows operating systems. Concurrently, the number of new malware related to Android operating systems dropped by 13.7%.

Capitalising on remote workers
Given that remote working and studying were the order of the day during the pandemic, most likely on computers and laptops, threat actors seem to have shifted their focus to these devices.

Kaspersky saw a 27% increase in the number of different scripts – sent via malicious e-mail campaigns or encountered on infected Web sites, which could, once again, reflect the fact that people spent more time on the Internet and cyber criminals hoped to capitalise on that.

Denis Staforkin, a security expert at Kaspersky, said the rise in the number of malicious objects detected during 2020 can be attributed to the pandemic, as users across the globe were forced to spend more time on their devices and online.

“It’s hard to know whether or not attackers were more active or our solutions detected more malicious files simply because of greater activity. It could be a combination of both. Either way, we have registered a noticeable increase in the number of new malicious files in 2020, and this will most likely continue in 2021 as employees continue to work from home and countries implement different restrictions. However, if users take basic security precautions, they can significantly lower their risk of encountering them,” he says.

Better than cure
In order to stay protected, Kaspersky recommends that users pay close attention to and don’t open any suspicious files or attachments received from unknown sources. Also, the company advises to double-check the URL format and company name spelling before you download anything, to not download and install applications from untrusted sources, or click on any links received from unknown sources and suspicious online advertisements.

“Create strong and unique passwords, including a mix of lower-case and upper-case letters, numbers and punctuation, and activate two-factor authentication. Also, always install updates. Some of them may contain critical security issues fixes.”

Finally, Kaspersky counsels to ignore messages asking to disable security systems for office software or antivirus software, and to always use a robust security solution appropriate to the system type and devices.

 

Source: MyBroadband, ESET

It’s time to file that tax return at SARS! Whilst many of us cannot wait for our refunds, this is also a time of the year where cybercriminals are waiting to attack. Sadly, with the tax season comes tax scams with cybercriminals seeking to steal your tax refund.

Carey van Vlaanderen, CEO at ESET South Africa explained: “Whilst we like to think we have become wiser to email spams and scams, cybercriminals are often in the perfect position to “fine tune” their attacks. If one attack doesn’t work, they simply adapt and improve, and then spam it out again.”

ESET offers the following tips to stay safe during the tax return season:

1. Are you worried you’re being phished? Look at the bait
Always look at who the email is from. It’s possible to fake any email address, but not all phishers are this clever – they may use a random email address that gives the game away. “Check the link that you’re supposed to click by hovering your mouse over it to display a pop-up message with the real link in it. Look closely. Does the address make sense? If any alarm bells start to ring, don’t click,” said van Vlaanderen.

2. Tax returns, invoices, wedding invitations – cybercriminals use them all
To a cybercriminal, nothing is sacred – wedding invitations, invoices and tax returns are all commonly used tactics. Always think hard before opening any attachment – even ones that seem to come from friends. It’s unlikely that SARS are asking you to refile your tax returns so please do not click.

3. Be extra careful around short URLs
If there isn’t a cap on the number of letters, why has someone shortened the link? You cannot take it for granted that URL shortening services are redirecting you to trustworthy websites.

4. Telephone numbers are not a guarantee an email is real
Do not trust professional looking emails where there is a phone contact number – this is often another cybercriminal trick. The number may work, but you will be connected to a scammer who will attempt to fool you into handing over further details.

5. Don’t auto-load images
Leave your email messages so your images aren’t automatically downloaded – otherwise you could be sending a signal to spammers. Images are often stored on the spammer’s servers and can be unique to your email. By turning on pictures in an email your computer downloads the images from the spammer’s servers, showing that you exist.

6. Is SARS really calling?
“It’s doubtful SARS will be calling you and they definitely are not going to offer any sort of gift card for filing early. If you get weird emails or phone calls, ignore them, or hang up. Always follow your gut.”

7. Encryption is the only way to go
If you file online look for encrypted websites. Make sure the website your visiting has HTTPS in front of the URL. Typically, it will have a green or grey lock showing it’s a secure connection. The last thing you want to do is share your extremely private information associated with taxes unless you’re on an encrypted website.

8. Did someone beat you to filing your tax return?
Identity theft is growing. In the USA alone, almost 60 million people have been affected – that is more than 1 in every 6 Americans. Cybercriminals will use any opportunity to monetise the effort they have taken to steal an identity, and at this time of year it’s probably tax identity theft for the purposes of tax refund fraud.

The cybercriminal’s target is not only the individual but also the tax professionals who prepare and file taxes for many clients potentially providing a single place for a cybercriminal to gain all the necessary data to file returns for many individuals.

It’s important that good data security practices and technology are in place for both individuals and tax professionals and are reviewed for effectiveness on a frequent basis.

“The next time a person or website requests personal data, ask some questions – do they really need it, how long will they store it, will it be protected, do I trust them to secure it?” said Van Vlaanderen. “The collection of personal data is, for some, a business that provides great rewards – as consumers we need to engage in the protection of our identity by being less willing to hand over our data to just about anyone who requests it.”

In a nutshell, to protect yourself, use up-to-date security software as offered by ESET, strong and unique passwords or passphrases, and encryption; and avoiding phishing scams by checking links and following your gut.

Reporting scams to the relevant authorities allows them to ascertain the scale of the issue and potentially track down the perpetrators and bring them to justice.

To find out more about ESET online security offerings, pleas click here. For more information on ESET, please visit their website, or follow them on Instagram and Facebook for updates and news.

According to a recent MyBroadband article,  Telkom has fallen victim to the group behind the Sodinokibi ransomware, also known as REvil.

The group has claimed responsibility for the attack and has threatened to leak the Telkom client database on its the Dark Web blog.

The REvil / Sodinokibi group is one of several ransomware operators that steals sensitive data from victims and leaks it on the dark web if their targets don’t give in to their extortion demands.

The group has recruited a team of affiliates who carry out attacks on corporate networks.

According to speculation, the group may have tried to extort $1-million out of Telkom.

The company denied that its systems had been infected with ransomware.

Staff working remotely were unable to connect to servers or the Telkom virtual private network.

 

  • 1
  • 2
  • 5

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top