The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory in the aftermath of a devastating ransomware attack on Colonial Pipeline. 

more coverage

The alert, published on Tuesday, provides details on DarkSide, malware operators that run a Ransomware-as-a-Service (RaaS) network. DarkSide is responsible for the recent cyberattack on Colonial Pipeline. Last Friday, the fuel giant said a cyberattack had forced the company to halt pipeline operations and temporarily pull IT systems offline to contain the incident, found to be an infection caused by DarkSide affiliates.  Colonial Pipeline is yet to recover and as a critical infrastructure provider — one of whom supplies 45% of the East Coast’s fuel and which usually delivers up to 100 million gallons of fuel daily — the FBI has become involved.  “Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data,” the alert says. “These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.” The DarkSide ransomware is provided to RaaS customers. This cybercriminal model has proven popular as it only requires a core team to develop malware, which can then be distributed to others.  RaaS, also known as ransomware affiliate schemes, may be provided on a subscription basis and/or the creators receive a cut of the profits when a ransom is paid. In return, the developers continue to improve their malware ‘product’.  

DarkSide tries to portray itself in a ‘Robin Hood’ light, with terms of service for clients that dictate no medical, care homes, or palliative care providers should be targeted. The operators have been quick to distance themselves from the attack on Colonial Pipeline as a core country fuel provider and vaguely blamed the attack on a partner.”Our goal is to make money, and not creating problems for society,” DarkSide said.  The FBI/CISA advisory also includes advice and best practices for preventing or mitigating the threat of ransomware.  “CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations […] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections,” the agencies say. “These mitigations will help CI owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.” Other recommendations include: Multi-factor authentication for remote access to IT networks Spam filters to mitigate phishing, network traffic filters Employee training programs Frequent patch processes Implementing security audits, risk assessment  RDP restrictions Anonymization service connection monitoring “CISA and the FBI do not encourage paying a ransom to criminal actors,” the agencies added. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Asha Barbaschow/ZDNet
The Australian government has handed down its 2020 Cyber Security Strategy [PDF], with the Commonwealth to develop legislation that would impose cyber standards on operators of critical infrastructure and systems of national significance; consider what laws need to be changed to have a minimum cyber baseline across the economy; and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.
“We work to actively prevent cyber attacks, minimise damage, and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation,” the strategy states in its only use of bold typeface.
“Our actions are lawful and aligned with the values we seek to uphold, and will therefore be proportionate, always contextual, and collaborative.
“We can choose not to respond.”
As well as allowing it to attack networks, the new powers would also help the private sector recover from an attack.
“The nature of this assistance will depend on the circumstances, but could include expert advice [and] direct assistance or the use of classified tools. This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians,” the strategy states.
The government intends to spend AU$62.3 million on a “classified national situational awareness capability” that would allow the government to “understand and respond” to threats on critical infrastructure and high priority networks.
“This will be complemented by increased incident reporting and near-real-time threat information from the most essential pieces of infrastructure as part of future regulatory requirements,” it said.
“To make use of all sources of threat information, the Australian government will deliver an enhanced threat-sharing platform, enabling critical infrastructure operators to share intelligence about malicious cyber activity with government and other providers at machine speed, and block emerging threats as they occur.”
An enforceable “positive security obligation” will be imposed on designated critical infrastructure operators through amendments to the Security of Critical Infrastructure Act 2018.
The government said it would also ensure Australia is not a soft target and continue to publicly call out countries when it is in the nation’s interest. The government would also hand law enforcement powers to target “criminal activity on the dark web”.
“The Australian government will confront illegal activity, including by using our offensive cyber capabilities against offshore criminals, consistent with international law,” it said. “The Australian government will continue to strengthen the defences of its networks, including against threats from sophisticated nation states and state-sponsored actors.”
Continuing to paint encryption as a tool used by criminals, the strategy said the government would “ensure” law enforcement has powers to tackle cyber crime.
“If our law enforcement agencies are to remain effective in reducing cyber crime, their ability to tackle the volume and anonymity enabled by the dark web and encryption technologies must be enhanced,” it said.
The government has also reversed its stance on leaving government departments responsible for their own cybersecurity, and will instead centralise the management and operations of Commonwealth networks.
“Centralisation could reduce the number of targets available to hostile actors such as nation states or state-sponsored adversaries, and allow the Australian government to focus its cyber security investment on a smaller number of more secure networks,” the strategy said.
“A centralised model will be designed to promote innovation and agility while still achieving economies of scale.”
The government also said it would work to get agencies to implement the Essential Eight mitigation strategies.
For businesses, the government will introduce a voluntary code of practice for internet-connected devices, as well as getting larger businesses to support smaller ones, as outlined in the industry advisory panel paper released last month.
“The Australian government will work with large businesses and service providers to provide SMEs with cybersecurity information and tools as part of ‘bundles’ of secure services (such as threat blocking, antivirus, and cybersecurity awareness training),” it states.
“Integrating cybersecurity products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cybersecurity staff.”
Should the code of practice fail to “drive change”, the government said it would look at implementing additional steps and also look to draw up a set of supply chain principles.
Per its recommendations, the industry advisory panel will also be morphing into a standing advisory committee.
In June, Australian Prime Minister Scott Morrison stated the country was under cyber attack from a state-based actor, widely tipped to be China.
“The Australian government knows it was a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” the strategy said on the attack.
The strategy also revealed that the Australian Signals Directorate will be used to target COVID-themed phishers, taking down their systems and “blocking their access to stolen information”.
Last month, the government announced the Cyber Enhanced Situational Awareness and Response (CESAR) package which would spend AU$1.35 billion over a decade on the nation’s security agencies. Around AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate.
Beyond CESAR, the strategy put forward another AU$320 million in funding.
The strategy also introduced new cyber analogies.  
“Cybersecurity allows families and businesses to prosper from the digital economy, just as pool fences provide peace of mind for households,” it said.  
Related Coverage
Support grows for an Australian active cyber defence program
It’s a proven model supported by industry, analysts, and the Labor opposition. It’s even been given token funding. But can the government deliver?
Scott Morrison cries ‘Cyber wolf!’ to deniably blame China
Australia’s prime minister didn’t name China as the source of recent ‘sophisticated’ cyber attacks in Friday’s press conference. He didn’t have to.
Prime Minister says Australia is under cyber attack from state-based actor
Light on detail and refusing to attribute, Scott Morrison says state-based attacks are targeting all levels of government, as well as the private sector.
Labor floats active cyber defence and a civilian cyber corps for Australia
Labor proposes a public health approach, to cybersecurity, addressing the risk and susceptibility of the whole nation to cyber attack, not just critical infrastructure or ‘big-ticket capabilities’.
COVID-19 fuels cyber attacks, exposes gaps in business recovery
Some 91% of businesses reported an increase in cyber attacks with employees working from home, including 93% in Singapore, where 89% and 86% also noted gaps in their business recovery planning and IT operations, respectively, as a result of the global pandemic.
Labor asks for the whereabouts of Australia’s overdue cybersecurity strategy
Shadow Assistant Minister for Cyber Security Tim Watts hopes the new strategy shows the ‘substance and imagination that our national cyber-resilience deserves’ and that it’s accompanied by an accountable minister. More

Pros
✓355-degree pan, 140-degree tilt
✓Solar panel charger

Cons
✕Will not work without SIM and data plan

On the surface, the Reolink Go PT external security camera is almost the same as the Reolink Argus PT camera. But it has one small but important difference.

You can place this camera almost everywhere. I say almost because this security camera will transmit signals from wherever it is to your mobile phone — as long as there is a cell phone signal.
The Go PT can run on 4G LTE and 3G networks. You do not need to connect this device to Wi-Fi to keep track of your valuables.
You do not even need to plug it into a power supply. The Go PT comes with a rechargeable battery or you can charge your Go PT device using the optional solar power pack.
Like the Reolink Argus PT, the Go PT has a 355-degree horizontal panning and 140 degrees tilt to monitor an almost complete field of view. Like the Argus PT, it has a PIR motion sensor, alerts, and will broadcast a voice alert. in fact, these cameras are almost the same.
All you need for the Go PT is to by a SIM and set up a data contract for the card. That’s it.
Top ZDNET Reviews

The beauty of this device is that you can mount it far away from your Wi-Fi access point, and it will monitor and transmit via 3G or 4G data.
The Reolink app manages the Go PT and the controls are the same for all of the Reolink cameras. Connecting the camera to the app is simple.
I spent far longer getting the SIM card contract set up and activated than the time I spent connecting the camera to the app, and screwing the unit to the shed.
The biggest difference I noticed between the Argus PT and the Go PT was the mounting frame for the camera.
I felt that the Reolink Argus PT mount was flimsy, yet the mount for the Go PT — practically the same camera — was significantly better quality. It is still plastic, but I was happy to install this without fashioning an alternative mount for the camera.
With the solar panel included, the Reolink Go PT costs just under $290, but if you have a large property, are out of Wi-Fi range, this extra cost could be something to consider. 
If you want to make sure your outbuildings are secure, and you have no power to these places, then the Reolink Go PT should certainly be on your list of security products to buy.

ZDNet Recommends More

A new report from Mimecast has found that the US leads the way in the size of payouts following ransomware incidents. In the “State of Ransomware Readiness” study from Mimecast, researchers spoke with 742 cybersecurity professionals and found that 80% of them had been targeted with ransomware over the last two years. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Of that 80%, 39% paid a ransom, with US victims paying an average of $6,312,190. Victims in Canada paid an average of $5,347,508 while those in the UK paid nearly $850,000. Victims in South Africa, Australia, and Germany all paid less than $250,000 on average.More than 40% of respondents did not pay any ransom, and another 13% were able to negotiate the initial ransom figure down. Of the 742 experts who spoke to Mimecast, more than half said the primary source of ransomware attacks came from phishing emails with ransomware attachments, and another 47% said they originated from “web security.” Phishing emails that led to drive-by downloads were also a highly-cited source of ransomware infections. Less than half of respondents said they have file backups that they could use in the event of a ransomware attack, and almost 50% said they needed bigger budgets to update their data security systems. Also: What is malware? Everything you need to know about viruses, trojans, and malicious software

Despite the lack of backups, 83% of those surveyed said they could “get all their data back without paying the ransom.” Another 77% of executives said they believed they could get their company back to normal within two days following a ransomware incident. This confused Mimecast researchers, considering nearly 40% of respondents admitted to paying ransoms. A number of respondents called for more training and more information-sharing about threats. “Ransomware attacks have never been more common, and threat actors are improving each day in terms of their sophistication and ease of deployment,” said Jonathan Miles, head of strategic intelligence & security research at Mimecast. “Preparation is key in combating these attacks. It’s great to see cybersecurity leaders feel prepared, but they must continue to be proactive and work to improve processes. This report clearly shows ransomware attacks pay, which gives cybercriminals no incentive to slow down.”Ransomware incident costs stretch far beyond the ransom itself; 42% of survey respondents reported a disruption in their operations, and 36% said they faced significant downtime. Almost 30% said they lost revenue, and 21% said they lost customers. Another cost? Almost 40% of the cybersecurity professionals surveyed said they believed they would lose their jobs if a ransomware attack was successful.Two-thirds of respondents said they would “feel very or extremely responsible if a successful attack occurred. When asked why, almost half said it would be because they “underestimated the risk of a ransomware attack.” More

Microsoft has issued an alert over a remote access tool (RAT) dubbed RevengeRAT that it says has been used to target aerospace and travel sectors with spear-phishing emails.  RevengeRAT, also known as AsyncRAT, is being distributed via carefully crafted email messages that prompt employees to open a file masquerading as an Adobe PDF file attachment that in fact downloads a malicious visual basic (VB) file.  

ZDNet Recommends

Security firm Morphisec recently flagged the two RATs as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families. SEE: Network security policy (TechRepublic Premium) According to Microsoft, the phishing emails distribute a loader that then delivers RevengeRAT or AsyncRAT. Morphisec says it also delivers the RAT Agent Tesla.  “The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” Microsoft said.  Morphisec named the cryptor service “Snip3” based on a username taken from the malware it found across earlier variants. 

Snip3 has been configured to not load a RAT if it detects it’s being executed within the Windows Sandbox – a virtual machine security feature Microsoft introduced in 2018. The Windows Sandbox is meant to allow advanced users to run potentially malicious executables within a safe sandbox that won’t affect the host operating system.  “If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments,” Morphisec notes.  “If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload.” But if the RATs are installed, they connect to a command and control (C2) server and download more malware from paste sites like pastebin.com.  They’re not good to find on any system, as the RATs are known to steal credentials, video and images from a webcam and anything that’s been copied to the system clipboard for pasting elsewhere.  “The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft Security Intelligence said.  “The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.” Microsoft has published on GitHub some advanced hunting queries that security teams can use if they detect these threats on their network. SEE: Ransomware just got very real. And it’s likely to get worse It’s open-sourced threat-intelligence information to date includes keywords linked to Spin3 phishing emails that target the aviation sector as well as a query that looks for a function call to a method named DetectSandboxie. “This method is used in RevengeRAT and AsyncRAT instances involved in a campaign targeting the aviation industry, first observed in 2021. It has also been associated in the past with other malware, such as WannaCry and QuasarRAT,” Microsoft notes.   WannaCry ransomware spread rapidly across the world in mid-2017 and was attributed to North Korean hackers. QuasarRAT was used in 2018 to steal credentials from the Ukrainian government.   More