Kyle Kucharski/ZDNETFollow ZDNET: Add us as a preferred source More

  An example of SmartBlock (right) in action.
Image: Mozilla
Mozilla has launched Firefox 87, with the latest version of the browser boasting “SmartBlock”, a new privacy feature touted as intelligently fixing web pages that are broken by tracking protections, without compromising user privacy.SmartBlock aims to bolster Firefox’s built-in content blocking feature — available across both private browsing and strict tracking protection modes for the past six years — which blocks third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. Explained in a blog post, by blocking these tracking components, Firefox’s private browsing windows prevented these companies from watching users as they browse the internet. Doing so, however, risked blocking components that were essential for some websites to function properly.”This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all,” Mozilla explained. “To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock.”SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. “These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact,” the blog said.”We believe the SmartBlock approach provides the best of both worlds: strong protection of your privacy with a great browsing experience as well.”

Over on Chrome, from version 90, the browser’s address bar will use “https://” by default, unless otherwise specified.”Users often type ‘example.com’ instead of ‘https://example.com’ in the address bar. In this case, if it was a user’s first visit to a website, Chrome would previously choose http:// as the default protocol. This was a practical default in the past, when much of the web did not support HTTPS,” the Chromium blog explained.It touted that the move would improve the initial loading speed of sites supporting HTTPS, in addition to being a privacy improvement.This change will roll out initially on Chrome Desktop and Chrome for Android in version 90, with a release for Chrome on iOS to follow soon after.RELATED COVERAGEGoogle Chrome: It’s time to ditch the browserWe created the monster that Google Chrome has become. Only we can destroy it.What about Firefox?Is there a place for the plucky underdog browser any longer?Too many browser tabs? This impressive extension is my favorite solutionIf you regularly find yourself opening so many browser tabs that you can’t keep track of them all, you’re not alone. There are plenty of extensions that promise to conquer tab overload, but my favorite, Workona, offers a feature set that others can’t match. More

There’s been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks. Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there’s been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021. Crooks are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more. With this access, cyber criminals can access a company’s networks and attempt to gain access to usernames and passwords or administrator rights which allow them to gain further control over the network.  On the underground forums being analysed, the number of offers to sell access to corporate networks went up from 362 to 1,099, a rise of three times in just a year and the report warns that increase is “one of the clearest trends on underground forums”. Some of the most common industries to which access is being offered to include manufacturing, education, financial services and healthcare.  The cost of access varies greatly and can sometimes be offered for a few thousand dollars – something a ransomware crew could make back many times over from a successful attack. But there’s a direct correlation between access value and the victim’s company revenue – the higher the revenue, the higher the price.  

SEE: A winning strategy for cybersecurity (ZDNet special report)  One of the key reasons there’s been an increase in sellers is because there’s the demand which is being driven by the growth in ransomware attacks. Ransomware groups need access to networks and buying access is easier and less time consuming than compromising networks themselves. “Ransomware operators are the main “customers” of initial access brokers’ (IAB) services,” Dmitry Shestakov, head of cybercrime research at Group-IB told ZDNet. “This unholy alliance of IABs and ransomware operators as part of ransomware-as-as-a-service affiliate programs has led to the rise of the ransomware empire,” he added. Another reason for the growth of initial access markets is because there is a relatively low skills threshold for engaging in this sort of cyber crime. These less sophisticated cyber criminals can use phishing attacks or buy off-the-shelf malware to steal information.The report also suggests that gaining this initial access has got easier due to the rise in remote working as a result of the  pandemic, which has resulted in many organisations unintentionally using insecure or misconfigured applications which cyber criminals can easily exploit. And as long as there are insecure networks which can be accessed and a demand from other cyber criminals to buy access to those networks, the rise of the access broker market looks set to continue.”We expect the number of brokers and initial access offers to grow. As the supply increases to meet the demand, we expect the price of initial access to corporate networks to decrease,” said Shestakov. “Ransomware will remain the main way to monetize access to corporate networks because it provides the highest possible return on investment for IABs,” he added. There are measures which organisations can take to help avoid cyber criminals breaching the network and gaining access to credentials.  They include installing software updates and security patches on a regular and timely basis to protect against known vulnerabilities, encouraging the use of strong passwords which are difficult to breach in brute force attacks and applying multi-factor authentication to accounts so that if credentials are compromised, there’s limited opportunities for attackers to exploit them. MORE ON CYBERSECURITY More

New samples of the EKANS ransomware have revealed how today’s cyberattackers are using a variety of methods to compromise key industrial companies. In a research report published on Wednesday, FortiGuard Labs researchers Ben Hunter and Fred Gutierrez said that malware designed to attack industrial control systems (ICS) continues to be lucrative for threat actors. While […] More

Microsoft says 250 Office 365 customers in the US and Israeli defense technology sector have been targeted with ‘password-spraying’ attacks, where attackers try to access many accounts with commonly used passwords. The technique relies on people using variations of common passwords. The password attacks focussed on critical infrastructure companies operating in the Persian Gulf and were carried out by a group Microsoft is tracking as DEV-0343 – most likely a new group from Iran.  

ZDNet Recommends

The ‘DEV’ tag indicates that the group is not a confirmed state-sponsored attack group, but it could become one eventually. SEE: BYOD security warning: You can’t do everything securely with just personal devicesThe Microsoft Threat Intelligence Center (MSTIC) said it had observed DEV-0343 “conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”Microsoft said “less than 20″ of the targeted tenants were successfully compromised.The risk of compromise from password-spraying attacks is significantly reduced for organizations that roll out multi-factor authentication.    

The hacking group targeted companies that support US, European Union and Israeli organizations producing military radars, drones, satellite systems, and emergency response communication systems, as well as geographic information systems (GIS), spatial analytics, Persian Gulf ports, and maritime and cargo transportation companies in the region.”Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” Microsoft said. Microsoft last week raised a red flag over Russian state-sponsored hacking, labelling Russia’s intelligence hackers the most active cyber threat in the world. Not only are Kremlin-backed hackers more prolific, they’re also increasingly effective, according to Microsoft. It also flagged a significant uptick in Iranian hacks against Israeli organizations. “This year marked a near quadrupling in the targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries,” Microsoft noted in its latest Digital Defense Report.Its latest warning to US and Israeli organizations operating in the Middle East says they should be on the lookout for suspicious Tor connections to their networks. 

“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” Microsoft warned in a blogpost. SEE: Microsoft’s Windows 11: How to get it now (or later)DEV-0343 frequently targets the Exchange endpoints, including Autodiscover and ActiveSync, with password-spraying attacks. This allows DEV-0343 to validate active accounts and passwords, and further refine its password-spray activity, Microsoft said.Microsoft’s primary recommended defense is enabling multi-factor authentication since this should block remote access to accounts with compromised credentials. It also recommends admins check and enforce Exchange Online access policies and to block all incoming traffic coming from services like the Tor network.  More