Fake Darkside group threatens companies, Darkside affiliate group hits security camera maker, help from Google for software developers and more
Welcome to Cyber Security Today. It’s Monday June 21st. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Is there no honour among thieves? I ask that because some person or group is emailing organizations claiming to be the Darkside ransomware group and have copied their data. That’s according to Trend Micro, which says energy and food industries in several countries, including Canada and the U.S., have recently received these threatening emails. The threat actor claims they have successfully hacked the victim’s computer network and copied sensitive information. Those documents will be publicly released unless a ransom of 100 bitcoins – which works out to about $4 million – is paid.
Trend Micro doubts this is the real gang because Darkside usually shows proof of stolen data by publishing a few documents. Whoever is sending these email messages isn’t offering evidence they’ve got the goods. Second, no victim’s data has been encrypted, which is another Darkside tactic. So this group is bluffing, so far. No one seems to have been fooled yet. The report notes that as of June 18th no one had paid any bitcoin into the attacker’s digital wallet. The lesson is investigate before giving into a threat.
You may recall I reported that after attacking Colonial Pipeline and attracting a lot of police attention, the Darkside group announced last month it was closing. However, its affiliates are still looking for business.
According to security firm Mandiant, one of them recently compromised the website that delivers the software installation package of a video security camera manufacturer. The compromise would have allowed hackers access to the video feeds of this manufacturers’ customers, or access to their IT systems. Mandiant doesn’t think many firms were victimized.
This is a third-party supplier attack. These are dangerous because IT teams usually trust their suppliers, so can be blind-sided when they are victimized. As for suppliers, their reputation can be damaged if word gets out their software development process or their website delivering software were compromised.
That’s why Google last week released a proposed framework for software developers that would ensure their applications can’t be tampered with. Called Supply chain Levels for Software Artifacts – or SLSA for short – it’s based on a set of rules that Google developers have to follow. Briefly, developers could use SLSA to verify software code integrity at each step in the build process. The last step is a two-person review of all changes made to code before it is released. At the moment SLSA is a set of best practice guidelines at the moment. Google hopes the final framework to be integrated with software build platforms used by application developers.
Cruise-line operator Carnival has suffered another data breach, the second in less than a year. The company, which operates a number of lines including Princess Cruises and Holland American Lines, is sending letters to customers saying in March someone was able to access internet email accounts with personal information of passengers, crews and employees. That information included names, addresses, phone numbers, passport numbers, dates of birth and health information. An official also told the Bleeping Computer news service that the attackers accessed part of the company’s IT system. By Bleeping Computer’s count, Carnival has been hit four times in just over a year, including two ransomware attacks.
I’ve mentioned before that cyber attacks using voicemail or fake phone numbers are on the rise. These are called vishing attacks, and leverage the same social engineering tricks as email or text phishing to fool victims: They try to get people worried or curious enough to phone a number. A security company called Armorblox last week issued a report on two of the most recent examples it’s seen. In one an email seems to come from Best Buy’s Geek Squad tech support, with the title ‘Order Confirmation.’ It claims your annual Geek Squad subscription has been renewed for $358. Well, you’d be worried if you never approved that renewal. The crooks are betting you’d protest by calling the billing department phone number in the message, where someone would try to get your personal information. There’s a big clue this is a scam: The message comes from a Gmail account.
The second scam seen pretends to be from security company Norton AntiVirus. It also claims to be an order confirmation for a subscription renewal. It also says if you want to cancel the subscription, call this number. There are two clues this is a scam. One is obvious – again, it comes from a Gmail account. The second is really subtle and shows some skill by the crook behind this scam: The message in the body of the email says the product is ‘Norton Protection.’ Those two words are capitalized. That’s odd. That alone should make you suspicious. But there’s a reason why this name is in caps. The capital ‘O’s in Norton Protection’ have been replaced with zeros. Very few people would notice that.
Why do this? Because many security software products scan incoming email looking for suspicious messages like this. But that software looks for properly spelled brand names. The goal is to evade detection by those applications. However some software won’t be fooled.
Finally, those using the Google Chrome browser should make sure it’s on the latest version. A security update was issued late last week.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.