Eliana Willis

Written by

Angelica Mari, Contributing Editor

Angelica Mari
Contributing Editor

Angelica Mari is a Brazil-based technology journalist. She started working at age 15 as a computer instructor and started writing professionally about technology two years later.

Full Bio

Brazil has seen an improvement in its data breach situation, with an 80% decrease in the number of cases seen in the first three months of 2022, according to new research by cybersecurity company Surfshark. Over 285,000 Brazilians were breached between January and March, placing Brazil in the 12th position in the ranking of most breached countries globally. That compares with the situation in the last quarter of 2021, when Brazil occupied the fifth spot on the list with 1.45 million breached accounts, with major incidents involving organizations such as the Ministry of Health and Experian.

According to the research, Russia topped the list of breached individual accounts in the first quarter of 2022, with more than 3.5 million users affected. The US ranks second on the list, followed by Poland, France, and India. On the other hand, data management incidents involving large companies continue to emerge in Brazil. For example, last week, the company running the network of McDonald’s restaurants in Latin America told some of its customers that their data could have been exposed after an incident involving one of its third-party suppliers.Arcos Dorados sent an email to some of its customers on Sunday (17) saying some of their data – including names, addresses, emails, telephone numbers, and social security numbers – was potentially exposed after the event. On the other hand, the firm said no sensitive data was exposed in the incident and included two email addresses customers could use to get in touch. Contacted by ZDNet, the company said that when it became aware of what had happened, it took the appropriate measures and contacted consumers that had their data exposed – the local data protection legislation requires companies to do so. Moreover, Arcos Dorados said it has also informed the National Data Protection Authority (ANPD). “Arcos Dorados repudiates this criminal activity and is working continuously to strengthen measures to protect its customers’ data, including reviewing and constantly updating security systems. We regret the situation and are providing communication channels to clarify any questions consumers might have”, the company added, without disclosing the name of the supplier that had exposed the data.The company isn’t new to major data exposure incidents. In 2019, Brazilian cybersecurity website The Hack reported that an unprotected Elasticsearch environment managed by an Arcos Dorados supplier had exposed over 2.3 million sensitive data records, including data from over 1 million McDonald’s employees.

ZDNet Recommends More

A sneaky phishing campaign aims to steal passwords from Facebook users – including administrators of company Facebook Pages. Detailed by cybersecurity researchers at Abnormal Security, the attack begins with a phishing email claiming to be from ‘The Facebook Team’, which warns that the user’s account “might be disabled and your page might be removed” due to repeatedly posting content that has been reported as infringing the rights of another user. The victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post there’s another link that directs users to a separate website in order to make their “appeal”.

As part of the fake appeals process, the user is asked to provide sensitive information, including their name and email address. Before submitting the form, the user is also asked to enter their Facebook password. SEE: Multi-factor authentication: How to enable 2FA to step up your securityAll this information is sent to the attacker, who can use it to log in to the victim’s Facebook page, collect information from their account and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency.”This is often enough to convince recipients to provide their personal information, particularly if they are using their Facebook account for business purposes,” said Rachelle Chouinard, threat intelligence analyst at Abnormal Security.  What made this particular phishing campaign interesting to the security researchers was that it connected to a post on Facebook and that there was a link to a credential-phishing site within the post, which was disguised as a form to request an appeal.However, while the phishing email and phishing domain might have looked legitimate at first glance, there were clues that would have suggested that something might be off.  For example, while the email contained Facebook branding and claimed to be from Facebook itself, the sender email address was not related to Facebook at all. In addition to this, attempting to reply to the sender email directs messages to an unrelated Gmail address. The language of the email is designed to create fear in the victim, scaring them into losing their account. It’s unlikely an actual online service will send an email like this, but if you receive a message and do get worried, don’t click the link in the email. Instead, log in to the website directly. If something is wrong with your account, you’ll be able to find out there – without handing your password to cyber criminals. SEE: These are the problems that cause headaches for bug bounty huntersZDNet contacted Facebook and the company pointed to advice to users on how to identify and report phishing attacks. Facebook’s Help Centre says anyone who thinks that their account has been phished should report it, change their password, and – in the security settings – log out of any devices that they don’t recognise.  It’s also recommended that users turn on multi-factor authentication to increase account security against unauthorised logins.  ZDNet also contacted Google – the company said the Gmail account used as part of the campaign has now been removed. MORE ON CYBERSECURITY More

The BlackCat ransomware gang, known for being the first to use ransomware written in the Rust programming language, has compromised at least 60 organizations worldwide since March 2022, the Federal Bureau of Investigation (FBI) says in a new alert. BlackCat, which also goes by the name ALPHV, is a relatively new ransomware-as-a-service gang that security researchers believe is related to the more established BlackMatter (aka Darkside) ransomware gang that hit US fuel distributor Colonial Pipeline last May. 

ZDNet Recommends

BlackCat appeared in November 2021 and was created by compromise experts or ‘access brokers’ that have sold access to multiple RaaS groups, including BlackMatter, according to Cisco’s Talos researchers. SEE: These are the problems that cause headaches for bug bounty huntersAs ZDNet reported in February, BlackCat has hit several high-profile companies since December, including Swiss airport management service Swissport and two German oil suppliers. While much of the group’s efforts have been focused on striking several European critical infrastructure firms, Cisco notes in a March report that more than 30% of BlackCat compromises have targeted US firms. “As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using Rust, considered to be a more secure programming language that offers improved performance and reliable concurrent processing,” the FBI says in its alert detailing BlackCAT/ALPHV indicators of compromise. “BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/BlackMatter, indicating they have extensive networks and experience with ransomware operations,” it continues. The BlackCat gang uses previously compromised user credentials to gain initial access to the victim’s system. The group then compromises Microsoft Active Directory user and administrator accounts and uses the Windows Task Scheduler to configure Group Policy Objects to deploy the ransomware. BlackCat also uses legitimate Windows tools – such as Microsoft Sysinternals, as well as PowerShell scripts – to disable security features in anti-malware tools, launch ransomware executables including on MySQL databases, and copy ransomware to other locations on a network. The group practices double extortion by stealing data prior to encrypting it in order to threaten victims with a leak in the event they don’t pay a ransom demand.       Cisco said it was unlikely the BlackCat gang or affiliates were using an Exchange flaw. However, Trend Micro researchers last week claimed to have identified BlackCat exploiting the Exchange bug CVE-2021-31207 during an investigation. That was one of the ProxyShell Exchange bugs discovered in mid-2021.      BlackCat has versions that work on Windows and Linux, as well as VMware’s ESXi environment, notes Trend Micro.”In this incident, we identified the exploitation of CVE-2021-31207. This vulnerability abuses the New-MailboxExportRequest PowerShell command to export the user mailbox to an arbitrary file location, which could be used to write a web shell on the Exchange Server,” the firm said. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyThe Cybersecurity and Infrastructure Security Agency is urging organizations to review the FBI’s alert.The FBI is seeking information from the public about BlackCat compromises. It wants “any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”As Windows Task Scheduler is commonly used by attackers to hide malicious activity within seemingly normal admin tasks, the FBI recommends organizations review Task Scheduler for unrecognized scheduled tasks, as well as to check domain controllers, servers, workstations, and active directories for new or unrecognized user accounts. More

Schools and universities are facing an unprecedented level of ransomware attacks as incidents continue to severely impact the education sector. The warning comes from Jisc, a not-for-profit organisation that provides network and IT services to higher education and research institutions. Jisc’s ‘Cyber Impact 2022’ report suggests there’s an increased threat of ransomware attacks against education. 

ZDNet Recommends

According to the report, dozens of UK universities, colleges and schools have been hit with ransomware attacks since 2020, causing disruptions for staff and students, and costing institutions substantial amounts of money. In some incidents, Jisc says impact costs have exceeded £2 million. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)And the attacks keep coming, as the report details how two universities and a further education and skills (FES) provider were hit by separate ransomware attacks during March 2022.The institutions aren’t specified, but the report says each incident caused a significant impact as systems were taken down to prevent further spread of malware, and to safely recover and restore data. In one case, a third party was called in to help the organisation fully recover from the incident.  According to Jisc, higher education views ransomware and malware as the top cybersecurity threat, followed by phishing and social engineering. The report suggests that one of the reasons universities have become such a common target for ransomware attacks is because of the pandemic-induced sudden shift to remote working for staff and students that inadvertently left institutions open to attack. For example, the switch to remote education led to a big rise in the use of remote desktop protocol, which can provide ransomware attackers with a route into networks.  Cyber criminals can send out phishing emails to steal usernames and passwords, which they can use to enter networks via legitimate user accounts. It’s also possible for cyber criminals to use brute-force attacks to break into accounts that use common or previously breached passwords. “This underlines the importance of basic security controls being in place, such as protections against brute-force attacks,” says the report. While the threat posed by ransomware and other cyberattacks to higher education is well known, some institutions are struggling, particularly when IT and information security teams are hamstrung by a lack of resources. “We are doing our best, but all areas of IT support seem to be growing and requiring more attention and it’s one part of a larger role (where its importance should be far greater). The pandemic has only stretched us further,” an undisclosed FES provider told Jisc. SEE: These are the problems that cause headaches for bug bounty huntersOne of the steps that organisations can take to protect accounts from being hacked and exploited to help launch a ransomware attack is to provide all users with multi-factor authentication (MFA). According to Jisc, there has been a sharp rise in the number of institutions that have MFA in place, although it hasn’t yet been rolled out across the board yet.It’s also recommended that universities encourage the use of strong, unique passwords, which makes them harder to guess and for cyber criminals to breach accounts, even if another account by the user has previously been stolen. In addition, it’s highly recommended that security patches are rolled out as soon as possible, so that devices, operating systems and software aren’t left exposed to known security vulnerabilities. MORE ON CYBERSECURITY More

Welcome to this week’s installment of Ask ZDNet, where we answer your burning tech questions.  In the mailbag this week: Is Microsoft really threatening to cut off security updates for people who install Windows 11 on “unsupported” hardware? How can I make my online services more secure with 2FA? And why is it so difficult to get Google Fiber in a condo or apartment building?  If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. If they don’t, we’ll find an outside expert who can steer you in the right direction.  Questions can cover just about any topic that’s remotely related to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice… well, you get the idea.  Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about.  Ask away. 

Is Microsoft really going to cut off security updates for my ‘unsupported’ Windows 11 installation?

I’ve read that Microsoft says installing Windows 11 on an unsupported PC means it won’t be entitled to receive updates in the future. If I do a clean install of Windows 11 on an incompatible PC, is my PC in danger of getting cut off from monthly security updates at some point in the future?

Have you ever heard of FUD? The acronym, short for “fear, uncertainty, and doubt,” has been around a long time, but it was popularized in the 1970s as a way of describing how the giant IBM Corporation discouraged its customers from even considering competing products.FUD is a classic marketing technique used when there’s no good technical argument to make against the choice that the customer is contemplating. It’s odd, though, to see an example like this, in which the giant Microsoft Corporation is using FUD to discourage customers from installing one of its own products.The exact language in that warning is interesting:Installing Windows 11 on this PC is not recommended and may result in compatibility issues. If you proceed with installing Windows 11, your PC will no longer be supported and won’t be entitled to receive updates. Damages to your PC due to lack of compatibility aren’t covered under the manufacturer warranty. [emphasis added]This is, of course, the business-school version of “Gee, nice PC you got there. Be a shame if something happened to it.” But it really doesn’t say that Microsoft is going to cut off your access to updates; it simply says you’re no longer “entitled” to those updates. That word is a tell on Microsoft’s part, disclaiming legal responsibility without actually saying what it will do. In fact, it would require an awful lot of work on Microsoft’s part to configure its update servers to reject requests from PCs based on such detailed configuration information. Doing so would run a risk of snagging customers with valid installations, and it would needlessly anger customers who were otherwise having a perfectly good experience with Windows 11.Instead, that language is a way of convincing timid customers to retire those old PCs in favor of shiny new ones, thereby choosing the option that puts fresh revenue in the pockets of Microsoft and its OEM partners.Also: The best Windows laptops: Top notebooks, 2-in-1s, and ultraportablesThis sort of confusion isn’t without precedent. Back in the days before Windows 10 launched, Windows skeptics were convinced that Microsoft was going to pull the rug out from updates based on some confusing language about the “supported lifetime of the device.” The world’s worst Windows pundit, in fact, was convinced Microsoft was going to start charging Windows 10 customers for updates within two years.That turned out to be a false alarm, for all the same reasons I outlined in this case.It’s possible, of course, that some future Windows update will cause performance and reliability issues on older PCs, but the idea that Microsoft will punish its customers for following a documented upgrade deployment procedure is, in my opinion, highly unlikely.

How do I know which 2FA options are available for the services I use?

A few weeks ago, you recommended using 2FA for online accounts and said using an app or even a hardware key for 2FA is most secure. How can I find out which security options are supported by the services I use? And what happens if your online account (bank, credit card, etc.) doesn’t support advanced security options?

It’s incredibly frustrating to sign in to a service and discover that their advanced security options are weak or nonexistent. There are still too many sites that only support two-step verification using SMS codes, with no option to use an authenticator app or a hardware key.Also: Best security keysFor the most part, finding out which authentication methods are available for a specific site usually requires signing in and then poking around the account options section. Look for anything with the words login or security.If you want to see how your service stacks up against its competitors, check out the excellent 2FA Directory, an open-source project that maintains an exhaustive list of websites, with details on whether and how they support 2FA. If your service isn’t measuring up, and switching is an option, this is definitely the place to start. 

How do I convince Google Fiber to extend service to my building?

I’m about to move into a new condo, and I’ve been looking at my options for internet service. Just about every other building in the neighborhood has access to high-speed fiber options from AT&T or Google, but when I type my new address into either site, they tell me fiber service isn’t available. What can I do to get this option in my building? Am I stuck with Comcast?

Cable TV has been around long enough that its infrastructure is pretty much ubiquitous in modern U.S. housing. That coaxial cable usually offers a connection to the Internet, at terms and prices that might or might not be competitive.One of the best new alternatives to cable is fiber, which typically has the advantage of being faster than cable and offering symmetrical download and upload speeds. Cable systems typically offer fast downloads but much slower upload speeds, which makes a difference when you’re working from home and you’re sharing big projects like video files.Google Fiber, which was an early pioneer in fiber deployment before hitting some speed bumps a few years back, appears to be trying to grow again. A recent news story says the company wants to move into Colorado Springs, even quoting Google Fiber’s general manager of expansion. As of April 2022, there are 20 cities listed on the Google Fiber website.Getting a fiber connection to a single-family home isn’t particularly difficult. Getting connections inside a multi-dwelling unit is a little more complicated. It requires an agreement from the owners of the apartment building or the management of a condo complex, followed by an inspection and then some construction.To handle the logistics of getting service to multiple households in a single building, you need a Network Demarc Point (NDP) outside the building and then a fiber distribution hub inside the building, with fiber distribution terminals and conduit throughout the building. For details on exactly what’s involved, see the Google Fiber Construction Stages and Constructions Guidelines documents. When we asked Google Fiber how you can get your building connected, they recommended that you ask your property manager to fill out the form at google.com/fiber/properties. You should expect a response “within a couple of weeks,” they said, from a team member who can assess whether service is available in the area and whether the building is suitable for connection. If the answer to both questions is yes, they can get the ball rolling.

Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.  

ZDNet Recommends

  More

Millions of Android devices were vulnerable to a remote code execution attack due to flaws in an audio codec that Apple open-sourced years ago but which hasn’t been patched since.    Researchers at Check Point discovered a bug in Apple Lossless Audio Codec (ALAC), which is audio-compression technology that Apple open-sourced in 2011. After this, ALAC was embedded in Android devices and programs for audio playback. 

The problem, as Check Point researchers note, is that while Apple updated and patched its proprietary version of ALAC, the open-source code for ALAC hasn’t been updated since 2011 and it contains a critical flaw that allows for remote code execution. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyA remote attacker can exploit the flaw by sending the target a malformed audio file, which allows the attacker to execute malware on an Android device. The flaw “could have led an attacker to remotely get access to its media and audio conversations,” the researchers said.The bugs affect Android devices with chips from MediaTek and Qualcomm, which have both confirmed the flaws. Qualcomm patched the bug, tracked as CVE-2021-30351, in its December security update. MediaTek also addressed the ALAC issues, tracked as CVE-2021-0674 and CVE-2021-0675, in its December security update.  Qualcomm gave CVE-2021-30351 a “critical” rating with a severity score of 9.8 out of a possible 10. “An out of bound memory access can occur due to improper validation of number of frames being passed during music playback,” Qualcomm says in its advisory.  MediaTek rated CVE-2021-0675 as a “high” severity elevation of privilege bug due to “improper restriction of operations within the bounds of a memory buffer in alac decoder”. It affects dozens of MediaTek chips used in devices running Android versions 8.1, 9.0, 10.0, and 11.0, according to MediaTek.  “In alac decoder, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation,” it notes. MediaTek says CVE-2021-0674 is a “medium” severity rating that “could lead to local information disclosure with no additional execution privileges needed.” Again, user interaction is not needed for exploitation.  How many Android devices are vulnerable depends on how many people have installed firmware updates in which the flaws are fixed. But the two chipmakers are the largest vendors behind system on chips used in Android devices sold in the US and around the world.Check Point estimates that two-thirds of all smartphones sold in 2021 are vulnerable to what it calls “ALHACK”. Google did release a patch for the Qualcomm bug and MediaTek’s CVE-2021-0675 in its December 2021 update. However, it’s still up to each Android handset manufacture to roll out patches at their own pace. Check Point plans to reveal more details about the flaws at the CanSecWest security conference next month. More