Eliana Willis

Over half of ransomware attacks are targeting one of three industries; banking, utilities and retail, according to analysis by cybersecurity researchers – but they’ve also warned that all industries are at risk from attacks. The data has been gathered by Trellix – formerly McAfee Enterprise and FireEye – from detected attacks between July and September 2021, a period when some of the most high profile ransomware attacks of the last year happened. According to detections by Trellix, banking and finance was the most common target for ransomware during the reporting period, accounting for 22% of detected attacks. That’s followed by 20% of attacks targeting the utilities sector and 16% of attacks targeting retailers. Attacks against the three sectors alone account for 58% of all of those detected.  Utilities is a particularly enticing industry for ransomware gangs to target, because the nature of the industry means it provides vital services to people and businesses and if those services can’t be accessed, it has an impact – as demonstrated by the ransomware attack against Colonial Pipeline, which led to gas shortages in the North Eastern United States. The incident saw Colonial paying a ransom of millions to cyber criminals in order to receive the decryption key.  SEE: A winning strategy for cybersecurity (ZDNet special report)Ransomware attacks against retailers can also have a significant impact, forcing shops to be restricted to taking cash payments, or even forcing them to close all together while the issue is resolved, preventing people from buying everyday items they need. Other sectors which were significant targets for ransomware include education, government and industrial services, serving as a warning that no matter which sector they operate in, all organisations could be a potential target for ransomware.  

“Despite the financial, utilities and retail sectors accounting for nearly 60% of all ransomware detections – no business or industry is safe from attack, and these findings should act as a reminder of this,” said Fabien Rech, VP EMEA for Trellix.   “As cybercriminals adapt their methods to target the most sensitive data and services, organisations must shore up their defences to mitigate further threats.” While several high-profile ransomware groups of 2021 seem to have disappeared or gone dark, particularly following arrests, new gangs and malware strains are emerging all the time and ransomware remains a key cybersecurity threat to organisations around the world. In order to help protect networks against ransomware and other cyber attacks, it’s recommended that organisations regularly apply the required security updates to operating systems, applications and software, something which can prevent hackers from exploiting known vulnerabilities to launch attacks. It’s also recommended that organisations apply multi-factor authentication across all accounts and that security teams attempt to scan for credential stealing attacks and other potential suspicious activity in order to prevent attacks before they happen.MORE ON CYBERSECURITY More

An unsecured server has exposed sensitive data belonging to airport employees across Colombia and Peru. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services.  In a report shared with ZDNet, SafetyDetectives said one of Securitas’s AWS S3 buckets was not appropriately secured, exposing over one million files on the internet.  The server contained approximately 3TB of data dating back to 2018, including airport employee records. While the team was not able to examine every record in the database, four airports were named in exposed files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE). The misconfigured AWS bucket, which did not require any authentication to access, contained two main datasets related to Securitas and airport employees. Among the records were ID card photos, Personally identifiable information (PII), including names, photos, occupations, and national ID numbers. In addition, SafetyDetectives says that photographs of airline employees, planes, fueling lines, and luggage handling were also found in the bucket. Unstripped .EXIF data in these photographs was exfiltrated, providing the time and date the photographs were taken as well as some GPS locations. 
SafetyDetectives
“Considering Securitas’ strong presence throughout Colombia and the rest of Latin America, companies in other industries could have been exposed,” the researchers say. “It’s also probable that various other places that use Securitas’ security services are affected.”

Application IDs listed within mobile apps were also stored in the bucket. The IDs were used for airport activities, including incident reports, pointing the researchers to the likely owner in the first place.  The cybersecurity researchers reached out to Securitas on October 28, 2021, and followed up on November 2 after receiving no response. Securitas engaged in conversation with the team and secured the server on the same day. Swedish CERT was also informed, ZDNet has reached out to Securitas, and we will update when we hear back. 
See also Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has revealed that it stopped what it described as the largest distributed denial of service (DDoS) attack ever reported in history in November, which at 3.47 terabytes (Tbps) per second outsized a mega 2.4 Tbps DDoS it thwarted last year that was then thought to be the largest DDoS in history. DDoS attacks harness the connectivity of many compromised devices and direct packets of data at a specific target, such as a website or internet service, with the aim of knocking it offline.  

ZDNet Recommends

Massive DDoS attacks measured in Tbps are becoming more common. According to Alethea Toh, a product manager on the Microsoft Azure networking team, Microsoft stopped two other DDoS attacks that exceeded 2.5 Tbps in December. SEE: A winning strategy for cybersecurity (ZDNet special report)The record-breaking 3.47 Tbps DDoS attack originated from approximately 10,000 sources from connected devices in the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan. “We believe this to be the largest attack ever reported in history,” said Toh.The largest attacks last year used the User Datagram Protocol (UDP), while attacks focusing on gaming servers were carried out using variants of the Mirai DDoS botnet malware, which relies on compromised PCs and Internet of Things (IoT) devices. Like last year’s huge DDoS attack, the attack vector in the 3.47 Tbps DDoS attack was a UDP “reflection attack”, where UDP request and response packets are reflected within a local network using a source Internet Protocol (IP) address that’s been spoofed by the attacker. 

An attacker abuses UDP by creating a valid UDP request that falsely lists a target’s IP address as the UDP source IP address. The attacker sends the spoofed UDP request to a middleman server, which sends a larger number of UDP response packets to the target’s IP address rather than to the attacker’s actual IP address. The technique amplifies the size of a DDoS attack, but UDP is just one of several internet protocols that can be abused for amplification, including Domain Name System (DNS), and Network Time Protocol (NTP), and memcached. The 3.47 Tbps UDP reflection attack lasted only 15 minutes, Toh explains in a blogpost. The two other attacks that surpassed 2.5 Tbps were were also short bursts targeting servers in Asia. UDP was used in all three cases. The protocol has proved popular for these attacks because online-gaming servers can’t withstand high-volume attacks, even in short bursts. Also, UDP is commonly used in gaming and streaming applications. “The majority of attacks on the gaming industry have been mutations of the Mirai botnet and low-volume UDP protocol attacks. An overwhelming majority were UDP spoof floods, while a small portion were UDP reflection and amplification attacks, mostly SSDP, Memcached, and NTP,” notes Toh.”Workloads that are highly sensitive to latency, such as multiplayer game servers, cannot tolerate such short burst UDP attacks. Outages of just a couple seconds can impact competitive matches, and outages lasting more than 10 seconds typically will end a match,” Toh explains. SEE: DDoS attacks that come combined with extortion demands are on the riseThe gaming industry has been hit with multiple DDoS attacks this year affecting Titanfall, Escape from Tarkov, Dead by Daylight, and Final Fantasy, Microsoft notes. Voice over IP (VoIP) service providers were another heavily targeted group for DDoS attacks. The two other December attacks exceeding 2.5 Tbps were UDP attacks. One was a UDP attack on port 80 and 443 in Asia that lasted 15 minutes with four main peaks, at 3.25 Tbps, 2.54 Tbps, and 0.59 Tbps, and a final peak at 1.25 Tbps. The other attack lasted just five minutes and was a 2.55 Tbps UDP flood on port 443 with one single peak, Toh notes. Some 55% of DDoS attacks relied on UDP spoofing in 2021 and it became the main vector in the second half of 2021. The US was the target of 54% of DDoS attacks, followed by 23% of attacks targeting India. DDoS activity in Europe, however, dropped from 19% in the first half of 2021 to just 6% in the second half, putting it behind East Asia, which was the target of 8% of DDoS attacks. Last year’s 2.4 Tbps attack was aimed at European Azure cloud users. Again, gaming adoption in East Asia made it a popular target.  More

StackCommerce

Your data is not only in danger when you go online. It’s also at risk from hackers who can crack your passwords by using social engineering. So it’s absolutely necessary that you provide yourself with the strongest protection possible against both, and that’s exactly what The Lifetime Password Manager & Privacy Subscription Bundle offers.This deal comes with a lifetime subscription to KeepSolid’s VPN Unlimited, which is arguably the best service you could use to stay safe online. In addition to a zero-log policy, military-grade encryption and a kill switch, you have no limits on speed or bandwidth. With access to more than 400 blazing-fast servers in over 80 locations, you don’t have to worry about being prevented from watching your favorite content because of your location.But KeepSolid offers even more convenience with 24/7 customer service, as well as features such as Favorite Servers, Ping Tests, Trusted Networks and a whole lot more. Even better, all of this is available for as many as five of your devices. As VPN Special observes, “KeepSolid VPN Unlimited offers amazing services and its advanced features make it a solid VPN service provider.”Of course, as mentioned above, you still have to deal with protecting your passwords. Sticky Password Premium allows you to securely keep all of your passwords together, either on local storage or in the cloud, where you can access them with one master password. But the app can also automatically generate unique, encrypted passwords so that you won’t share the same one across multiple accounts.Sticky Password also lets you store other pieces of personal information, which you can use to fill out forms instantly. Although supremely secure, Sticky Password is easy to use, and it even lets you share passwords with others if necessary.Don’t pass up this opportunity to have maximum protection for your data. Get The Lifetime Password Manager & Privacy Subscription Bundle while it’s on sale for only $29.99.Prices are subject to change.

More ZDNet Academy Deals More

StackCommerce

If you’re disappointed with the way your tech career is progressing, it may be because your resume doesn’t have all of the certifications that employers are looking for. One way to turn recruiters heads is by earning a CompTIA certification, but you’ll need to pass the vendor’s exams to do so. The 2022 Complete CompTIA Exam Certification Labs & PBQs Training Bundle contains prep material that can help you earn them for $29.99.These DojoLab courses include Performance-based Questions (PBQs) and labs that follow CompTIA’s exam curriculum. There are no lectures, but they give you a chance to practice your existing skills and become familiar with the type of questions you’ll face during the exams. You also get to be part of a community of fellow IT students and subject matter experts.”CompTIA A+ (220-1001)” prepares you for an entry-level certification that validates your ability to use the latest technology to support IT infrastructure at the enterprise level. “CompTIA A+ (220-1002)” covers Core 2, which includes the configuration and installation of operating systems, operational procedures, software troubleshooting, expanded security and more.You can refresh your knowledge of network architecture and validate your skills in deploying networks with “CompTIA Network+ (N10-007 & N10-008)”. The certification you can earn with “CompTIA Linux+ (XK0-004)” not only demonstrates your knowledge of all major Linux distributions but also advances your progress toward the advanced certifications.Cybersecurity skills are in great demand, so you definitely want yours certified in order to stand out among the competition when applying for the best jobs. “CompTIA Security+ (SY0-601)” will help you earn the certification of baseline skills that are required for core security functions.Don’t pass up this chance to learn what you need to know in order to pass your CompTIA exams on your first try. Get lifetime access to the 2022 Complete CompTIA Exam Certification Labs & PBQs Training Bundle while it’s on sale for only $29.99.Prices are subject to change.

More ZDNet Academy Deals More

QNAP Network Attached Storage (NAS) device users are still struggling to address a range of issues connected to the Deadbolt ransomware, which began infecting devices earlier this week. On Tuesday, QNAP NAS users flocked to Reddit and QNAP forums to report ransomware infections. Censys reported that of the 130,000 QNAP NAS devices, 4,988 services “exhibited the telltale signs of this specific piece of ransomware.”On Friday afternoon, Censys updated its report, telling ZDNet that overnight, the number of exposed and ransomware infected devices went down by 1,061 to 3,927. A map of the infected devices around the world. 
Censys
“Why this went down could be for any number of reasons, we’re still investigating to see if we can pinpoint the reasoning behind this,” a Censys spokesperson said, theorizing that the decrease could be attributed to a forced update from QNAP. On Wednesday, QNAP initially urged users to update to the latest version of QTS, the Linux based operating system developed by the Taiwanese company to run on their devices.But MalwareBytes said QNAP pushed out an automatic, forced update with firmware on Thursday containing the latest security updates.”Later that day, QNAP took more drastic action and force-updated the firmware for all customers’ NAS devices to version 5.0.0.1891, the latest universal firmware which has been available since December 23rd, 2021,” MalwareBytes explained.

“As you might expect after a forced update, a number of unexpected side-effects arose… The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update.”

ZDNet Recommends

The best network-attached storage devices

If cloud-based servers don’t meet all of your storage needs, consider a NAS solution. We selected a handful of devices that passed our reliability torture tests and offer superior usability and feature sets.

Read More

QNAP responded to the controversy over the forced update on Reddit. A company representative explained why they decided to force the update, noting that it had been urging users to update their systems since January 7.”In QTS there was a message in control panel/auto-update that ‘QTS/QuTS hero will enable recommended version update soon to protect nas from deadbolt.’ But I think a lot of people did not see that message. We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away,” the company spokesperson said. The message drew several furious responses from people who said the forced update caused a number of downstream issues. Others said it was concerning the company had a backdoor into their systems, while some said the forced update did little to actually address the issues of people who had already been infected with Deadbolt. Even with the update, at least one user confirmed getting hit with Deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3. QNAP would not confirm or deny that there was another vulnerability being exploited, according to Bleeping Computer. Recorded Future ransomware expert Allan Liska said this kind of specialty ransomware is very hard to defend against and commended QNAP for releasing a detailed guide to securing the appliance earlier this month. “It is difficult to defend against because the device is controlled by the manufacturer. Unless you are a company with the resources to enable compensating controls, you are largely at the mercy of the vendor,” Liska said. “For most IoT devices, this doesn’t matter too much. If someone launches a ransomware attack against my lightbulbs, I can just reset and go on with my life. But when those IoT devices hold all of your data, it is a very different matter.”Decryptor issuesSecurity company Emsisoft released its own version of a decryptor after several victims reported having issues with the decryptor they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned. Unfortunately, Emsisoft’s decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators. Deadbolt’s ransom note says victims need to pay 0.03 BTC (equivalent to USD 1,100) to unlock their hacked device and that it “is not a personal attack.” They offered to give QNAP a universal decryptor for 50 BTC.Emsisoft’s Brett Callow told ZDNet that the situation was similar to REvil’s attack on Kaseya in that, in both cases, the threat actor asked for relatively small payments from individual victims as well as providing the company with an option to settle for a much larger sum on behalf of their affected customers. “The strategy makes sense as it increases the likelihood of the attack being monetized. Users who paid the demand experienced problems after QNAP’s forced update reportedly removed the ransomware executable making decryption impossible. That’s one of the reasons we released the decryptor,” Callow said. Liska said ransomware groups are notorious for providing poor decryption software and noted that it is not uncommon for incident response teams to take the key given by the ransomware group and ignore the decryption code.”The reason for Emsisoft to release a decryptor is to make sure victims have something they know will work once they get the key,” Liska explained.Liska also slammed the people behind the attack, questioning their insistence that the attack wasn’t “personal.””It is a personal attack. People often have their digital lives stored on these devices. Whether it is photos, work, the book they have been writing, or the program they have been developing, this stuff is important to them. And the attackers just took that away from them,” Liska added. “The attacker can dress it up as ‘poor vendor security’ all they want, but it is just a sign they are shitty people that have no regard for their fellow human beings.” More

The French government is investigating claims from the LockBit ransomware gang that data was stolen from the Ministry of Justice.”The French Ministry of Justice is aware of the alert and has immediately taken actions to proceed to the needed verifications, in collaboration with the competent services in this field,” a government spokesperson told ZDNet. 

ZDNet Recommends

The Ministry of Justice was added to the LockBit leak site alongside data from dozens of European companies and towns, including the French city of Saint-Cloud. LockBit has become well-known for overstating claims of data theft. It has been repeatedly caught adding the names of companies and organizations to its site with no files to show for it.While the claims of an attack on the Ministry of Justice are being investigated, LeMagIT did report this week that the city of Saint-Cloud confirmed it dealt with some kind of cyberattack. Security Week’s Eduard Kovacs was one of the first to report that LockBit 2.0 had added the French Ministry of Justice to its leak site and was threatening to leak documents by February 10. Local journalists later said sources at the Ministry of Justice confirmed the attack but questioned the scope of the incident considering LockBit was only advertising about 8,000 files. 

Trend Micro revealed this week that LockBit now has additional Linux and VMware ESXi variants that have been spotted actively targeting organizations in recent months. The company noted that a number of other ransomware variants have been shifting their efforts to target and encrypt Linux hosts, such as ESXi servers, but that the LockBit move was concerning because of LockBit’s ransomware-as-a-service’s popularity.  More

On Friday, Google debuted a new product developed with OpenMined that allows any Python developer to process data with differential privacy.The two have been working on the project for a year, and Google said the freely available privacy infrastructure will help millions in “the global developer community — researchers, governments, nonprofits, businesses and more — build and launch new applications for differential privacy, which can provide useful insights and services without revealing any information about individuals.”

Google began its differential privacy efforts in 2019 and got significant interest in it, prompting them to launch the new open source differential privacy product in Python. Google’s work with OpenMined included efforts to train third party experts to educate anyone who wants to learn how to leverage differential privacy tech.Google privacy and data protection office product manager Miguel Guevara told ZDNet that they reached out to OpenMined last year to surface the idea of building this Python product, with the goal of making it the most usable end-to-end differential privacy solution freely available. They immediately jumped onboard, Guevara added. “It’s been a truly amazing experience to work collectively with OpenMined towards building a more private Internet. The energy that their developers had through this journey over the past year demonstrated the appetite there is for expanding access to these privacy-enhancing technologies that we believe will play a critical role in the future of the web for every user,” Guevara said. “Beyond the joint work our engineers did for the design and implementation of the library, we’re also thrilled that OpenMined now offers trained experts to provide guidance and resources for any developer looking to implement differential privacy in their projects.”Google initially launched an open-sourced version of its foundational differential privacy library in C++, Java, and Go in 2019. Developers immediately took to the project, wanting to use the library for their own applications. 

Google noted that startups like Arkhn have used it to help hospitals share data, and Australian researchers use it for a variety of scientific studies. “We are also releasing a new differential privacy tool that allows practitioners to visualize and better tune the parameters used to produce differentially private information,” Guevara said. “Finally, we are also publishing a paper sharing the techniques that we use to efficiently scale differential privacy to datasets of a petabyte or more.”Guevara urged researchers and developers to use the tool and provide feedback, noting that Google would continue “investing in democratizing access to critical privacy enhancing technologies.” More