NurPhoto/NurPhoto via Getty Images Follow ZDNET: Add us as a preferred source<!–> on Google. ZDNET’s key takeaways The CUDA toolkit is now packaged with Rocky Linux, SUSE Linux, and Ubuntu. This will make life easier for AI developers on these Linux distros. It will also speed up AI development and deployments on Nvidia hardware. AI […] More

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Acer has confirmed a cyberattack on its offices in India this week after hackers with the Desorden Group claimed to have breached servers and stolen 60GB of files. The group emailed ZDNet about the hack, claiming to have customer and corporate business data as well as financial information. When asked, the hackers denied it was a ransomware attack and claimed to have access to the company’s servers “over time.”A spokesperson from Acer confirmed the hack, telling ZDNet that their security team recently detected an “isolated attack” on its local after-sales service system in India.”Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems,” an Acer spokesperson said. “We are notifying all potentially affected customers in India. The incident has been reported to local law enforcement and the Indian Computer Emergency Response Team, and has no material impact to our operations and business continuity.” After receiving the message from Acer, ZDNet asked the hackers whether they still had access. “Acer is a global network of vulnerable systems. We no longer have access to their India servers. This is all we can reveal now,” the hackers said in a follow-up message. This is the second cyberattack Acer has suffered this year after being hit with ransomware in March.

The REvil ransomware group claimed the attack and demanded a $50 million ransom, one of the highest reported at the time. Acer offered to pay the group $10 million, which was rejected by the hackers. The Record reported that the data stolen recently by the Desorden Group was posted to cybercriminal forum RAID as well as being sent to reporters. Acer India was hit with a similar cyberattack in 2012 by a Turkish cybercriminal group, according to DataBreaches.net. The attackers defaced the company website and leaked 20,000 user credentials at the time. DataBreaches.net reported last month that the Desorden Group recently claimed to have hacked into the Malaysian servers of ABX Express Enterprise on September 23.Like the latest attack, the group sent reporters portions of the stolen files and posted them into the RAID forum. They claimed to have stolen 200GB of information including the data of millions of Malaysians. In messages to the site, the group said their name stands for “chaos and disorder” and had reorganized after originally going by the name “Chaos CC.”The group said it plans to attack supply chains and cause “disorder and chaos” that affects as many people as possible. The Desorden Group said it plans to hold data ransom and sell it if they are not paid. At the time, they claimed to have been negotiating a ransom with an unnamed Italian automotive supply company.  More

Bronze President has potentially shifted from Asia to focus on Russia as the invasion of Ukraine continues. Also known as Mustang Panda, TA416, or RedDelta, the Chinese cyberespionage group has been active since at least 2018 and has traditionally focused on gathering intelligence from NGOs, research institutes, and internet service providers (ISPs).

Ukraine Crisis

Past countries and regions on the hit list include Europe, Mongolia, Russia, Vietnam, and South Africa. According to Secureworks Counter Threat Unit (CTU), the group is either “sponsored or at the very least tolerated by the Chinese government” and “appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine.” Recent campaigns have primarily focused on Southeast Asia, with targets infiltrated for “political and economic” data theft and ongoing, long-term surveillance. However, CTU says that Bronze President has now pivoted to Russian speakers alongside European organizations. “This suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the People’s Republic of China (PRC),” the researchers say. Government-sponsored — or, perhaps, tolerated — cyberattackers are tasked with activities that will benefit their government somehow. This often includes intelligence-gathering, spying, and activities that improve situational awareness, especially in times of conflict. These activities don’t only include ‘enemies’ or ‘hostile’ states — it also extends to who a country considers an ally or friend. CTU suggests that the recent Bronze President shift could indicate “an attempt by China to deploy advanced malware to computer systems of Russian officials.”

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Bronze President is suspected of targeting the Russian military. The team analyzed a malicious executable called “Blagoveshchensk – Blagoveshchensk Border Detachment.exe,” which was disguised with a .PDF icon and heavily obfuscated to hide a downloader for PlugX malware. (The city of Blagoveshchensk is close to the Chinese border and is home to part of the Russian military.)If executed, the file will display a decoy document (written in English, oddly), which describes the refugee situation and EU sanctions. In the background, a downloader grabs PlugX from a command-and-control (C2) server previously tied to campaigns in Europe. PlugX is a Remote Access Trojan (RAT) capable of file exfiltration, executing remote command shells, establishing a backdoor, and deploying additional malicious payloads. Bronze President has a wide range of tools, including Cobalt Strike, the China Chopper backdoor, RCSession, and ORat, at its disposal. In March, ESET said the group was taking advantage of the war to spread a new Korplug/PlugX RAT variant, dubbed Hodur, via Ukraine & Russia-themed phishing campaigns. In other cybersecurity news related to Russia and Ukraine, Aqua Security has been tracking the use of cloud repositories by those on both sides of the conflict. The researchers found that 40% of public repositories with descriptions or names linked to the invasion, including tools and guides, promoted denial-of-service (DoS) activities “aimed at disrupting the network traffic of online services.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released an out-of-band patch to fix authentication failures on Windows after installing the May 10, 2022 security update on Windows Server domain controllers. The new update should fix authentication failures that affected services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). 

“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft explained. SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsThe US Cybersecurity and Infrastructure Security Agency (CISA) this week pulled Microsoft’s fix for the bug CVE-2022-26925 from its list of known exploited vulnerabilities that federal agencies must patch within a given timeframe.  The bug was a Local Security Authority (LSA) spoofing vulnerability. Details of the bug have been publicly disclosed and exploits exist for it. An unauthenticated attacker could “call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft said. The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft added.  The authentication issue was only caused after installing the May 10 update on Windows Server domain controllers. Any previously applied workarounds are no longer needed, according to Microsoft.  Microsoft’s out-of-band patch also fixes a separate issue caused by the April KB5011831 or later updates that stopped some Microsoft Store apps from opening. The cumulative updates with the out-of-band fix are available for Windows Server 2022 (KB5015013), Windows Server, version 20H2 (KB5015020), Windows Server 2019 (KB5015018), and Windows Server 2016 (KB5015019). Microsoft has also released standalone updates for Windows Server 2012 R2 (KB5014986), Windows Server 2012 (KB5014991), Windows Server 2008 R2 SP1 (KB5014987), Windows Server 2008 SP2 (KB5014990). Admins can manually import the updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.  More

An apparent ransomware attack has resulted in hundreds of self-service ticket machines across the network being taken offline across the north of England. Customers who need to use the Northern rail company, which serves towns and cities across northern England, are urged to use the mobile app, website or ticket offices while the ticket machines remain disrupted. The attack comes just two months after 600 Northern-operated touchscreen ticket machines were installed at 420 stations across the region. “Last week we experienced technical difficulties with our self-service ticket machines, which meant all have had to be taken offline,” a spokesperson for Northern told ZDNet. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“This is the subject of an ongoing investigation with our supplier, but indications are that the ticket machine service has been subject to a ransomware cyberattack.” SEE: Network security policy (TechRepublic Premium)It hasn’t been detailed what form of ransomware Northern, which is government run, might have fallen victim to or how cyber criminals may have compromised the network, but the company says that “swift action” taken alongside payment and ticketing systems supplier Flowbird means the incident has only affected the servers that operate the ticket machines. “The issue was first identified through cyber-monitoring systems and our initial investigations indicated that the service may have been subject to a cyberattack,” a Flowbird spokesperson told ZDNet.

Both Northern and Flowbird say no customer information or payment data has been compromised by the attack.”We are working to restore normal operation to our ticket machines as soon as possible. We are sorry for any inconvenience this incident causes,” said the Northern spokesperson.  SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefThere’s currently no indication as to when the self-service ticket machines will be restored or if Northern or Flowbird have been contacted by the cyber criminals behind the ransomware attack, or if a ransom demand has been made. Ransomware attacks, where cyber criminals hack into networks, encrypt data and demand payment in exchange for the decryption key, have been a major cybersecurity problem during 2021. Such is the extent of the issue that world leaders discussed ransomware at last month’s G7 summit. MORE ON CYBERSECURITY More