Eliana Willis

attack on Colonial PipelineIn messages obtained by a member of the vx-underground group, the prolific BlackMatter ransomware group has said it is closing shop due to increased law enforcement pressure. The group — hawking a rebranded version of the DarkSide ransomware used to attack Colonial Pipeline earlier this year — posted a message on its private ransomware-as-a-service website on November 1st saying some members of the gang are “no longer available” after “the latest news.””Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) — project is closed,” the group wrote. “After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write ‘give a decryptor’ inside the company chat, where necessary. We wish you all success, we were glad to work.” While the group did not explain what they meant by “the latest news,” there are a variety of stories tied to the ransomware gang’s activities over the last two months. After closing shop to due law enforcement scrutiny following the attack on Colonial Pipeline in May, the group re-emerged in July under the “BlackMatter” banner. They attacked dozens of companies and CISA identified the group as the perpetrators of multiple attacks on agriculture companies ahead of harvests. Last week, Emsisoft CEO Fabian Wosar revealed that his company discovered a flaw in the BlackMatter ransomware allowing them to help victims recover all of their files. The group eventually figured it out and released an updated version of their malware, but Wosar hinted that they were working with law enforcement agencies and others to help victims. 

On Wednesday, the Washington Post reported that US Cyber Command and a foreign government were responsible for the disruption of the REvil ransomware group. Chats from REvil actors were seen by the newspaper and indicate the group’s leaders were spooked once they realized law enforcement entities were in their system, shutting down operations for the second time this year. Officers from Europol also arrested the Ukrainian group behind the MegaCortex, Dharma and LockerGoga ransomwares. The twelve people arrested allegedly perpetrated more than 1,800 ransomware attacks on critical infrastructure and large organisations around the world.The immense amount of pressure now facing ransomware groups was noted by General Paul Nakasone, head of US Cyber Command. “I’m pleased with the progress we’ve made,” he said, “and we’ve got a lot more to do,” he said during a speech at the Aspen Security Forum on Wednesday. Bleeping Computer reported on Wednesday afternoon that BlackMatter operators have already begun moving victims over to the LockBit ransomware site so that they can continue negotiating ransoms. The group is also pulling cryptocurrency out of the Exploit hacking forum and deactivating accounts, according to Bleeping Computer. Most experts were quick to note that ransomware groups have now made it a standard practice to close shop and reorganize under a new name. Multiple ransomware groups have done it, some multiple times, as soon as law enforcement pressure gets to be too much to handle. Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows, said DarkSide, Avaddon and Egregor are just some examples of groups that folded their operations following the after-effects of a prominent attack. “Although BlackMatter’s announcement would suggest a halt in operations, if we consider previous events, there are a few possibilities as to the future of BlackMatter: Members or affiliates lie low for a period of time, staying inactive while taking a break from ransomware activities and Member or affiliates are absorbed into the ransomware-as-a-service programs of other groups,” Yin Peh said. “Or, BlackMatter will rebrand into a new program under another name. Given how highly lucrative ransomware operations are, it is unlikely that those behind BlackMatter will cease operations entirely. An eventual rebranding seems more probable, but how soon this will happen remains to be seen. With law enforcement hot on their heels, it is more likely that BlackMatter will take their time to let the law enforcement dust settle, re-develop their tools, and then re-emerge with a new and improved payload.”Picus Security’s Dr. Süleyman Özarslan noted that ransomware gangs typically rebrand in 6-month cycles.Other experts, like BreachQuest CTO Jake Williams, said better backups and other preparation by victims were decreasing ransom payment rates in some instances, forcing ransomware groups to increasingly rely on double extortion methods to regain leverage. “The creation of the data exfiltration tool shows that groups are not only worried about standardizing their encryption operations, but also their extortion operations. The mere existence of the tool shows how important the double extortion process has become for operators,” Williams said. “At this point it’s not clear whether core group members are ‘unavailable’ because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that’s a sign that saber rattling appears to be helping. But we shouldn’t forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month. This was already hurting relationships with affiliates. It’s not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats.” More

Brazilian workers have come to terms with the lack of privacy at work and are open to being monitored by their employers, but insufficient knowledge of security issues could endanger companies, a new study has found. According to the survey carried out with 11,000 consumers across 11 countries by Unisys, 87% of the 1,000 Brazilians polled said they are comfortable with being monitored remotely by the companies they work for. More than half of the respondents (52%) are comfortable with their employers tracking their computer access time, through login and logout events. This represents a 12 percentage points increase in relation to the global average of 40%. In addition, 65% of Brazilians say they feel responsible for the security of their data.

On the other hand, the study points to a lack of awareness about security issues, which could pose a risk to employers as organizations move towards hybrid working approaches, whereby employees can divide their time between the office and working from home. Only a third of those polled claim to be familiar with the threat of SIM jacking, a scam in which criminals transfer the victim’s phone number to a device they control.As for smishing, whereby scammers send SMS messages asking for personal or financial information, about six in 10 Brazilians (59%) say they are not aware of the threat. In addition, the study pointed out that 76%of those polled do not know which institutions to report scams in case they are targeted by cybercriminals. The findings emerge in a context of a growing preoccupation among Brazilians in relation to cybersecurity. According to the Unisys report, Brazil is the third country in a ranking of nations where concerns about online security are high, after Colombia and Mexico. About 75% of those polled said they are afraid of clicking on suspicious links.

In September, the Brazilian banking sector and the Ministry of Justice started the discussions around the creation of a national strategy to tackle cybercrime. The vision outlined by the banks includes the development of public awareness campaigns on cyber risks and fraud. More

The US Commerce Department has sanctioned four cybersecurity companies for allegedly selling spyware and other hacking tools to repressive foreign governments. The department’s Bureau of Industry and Security added Israeli companies NSO Group and Candiru as well as Russia-based Positive Technologies and Singapore-based Computer Security Initiative Consultancy (COSEINC) to the Entity List “for engaging in activities that are contrary to the national security or foreign policy interests of the United States.”The US said NSO Group and Candiru were added to the list because officials had found “evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” The Commerce Department noted that the governments given these tools repressed a number of people in other countries beyond their borders, explaining that some authoritarian governments target “dissidents, journalists and activists outside of their sovereign borders to silence dissent.”Positive Technologies and Computer Security Initiative Consultancy are accused of trafficking “in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.””The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said US Secretary of Commerce Gina Raimondo.  The ruling was made in coordination with the Defense Department, the State Department, the Treasury Department and the Energy Department

Officials said the Entity List restricts the “export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.”There will be no license exceptions are available for exports, reexports, or transfers in-country to the entities being added to the Entity List, the Commerce Department added. The NSO Group has become infamous for its involvement in a series of global scandals earlier this year involving their Pegasus spyware. Citizen Lab and dozens of researchers revealed that the spyware was being used widely by cybercriminals, dictators and others to spy on prime ministers, diplomats, journalists and human rights activists. One dictator even used it to spy on his ex-wife and her lawyers. The company denied the allegations in a statement to The New York Times, claiming its “technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”Positive Technologies has long been accused of providing hacking tools and support to the intelligence arm of the Russian government. The $1 billion-dollar cybersecurity company was sanctioned in April by the Treasury Department for providing computer network security solutions to the FSB and GRU as well as Russian businesses, foreign governments and international companies. The company even hosts “large-scale conventions that are used as recruiting events for the FSB and GRU.” Despite its ties to Russian Intelligence, the company nearly went public this year and was valued at $2.5 billion thanks to ties to Samsung, Microsoft and IBM, according to Forbes. Haaretz reported in 2019 that the secretive Candiru specialized in hacking computers and servers. The news outlet said Isaac Zack founded the company and was also involved in the founding of the NSO Group. Both Microsoft and Citizen Lab published reports in July on DevilsTongue, a spyware created by Candiru. According to The Record, the Computer Security Initiative Consultancy has ties to Pwn0rama, an exploit acquisition program. “This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities,” the Commerce Department said in a statement. BreachQuest CTO Jake Williams told ZDNet that each of the additions to the Entity List are interesting in its own right, but the most significant in his eyes was NSO Group. While NSO tried to spin its software as being used for legitimate purposes, it’s clear that it has been used repeatedly to target journalists, activists, and government officials, Williams explained. “It isn’t just the targeting of these individuals that got NSO in hot water, it’s that entities unfriendly to the US used NSO tools to target friendly journalists, activists, etc. That’s never a winning business plan,” Williams said, adding that the COSEINC and Positive Technologies “are perhaps more academically interesting.””While Positive Technologies (a Russian company) isn’t a surprise to see on this list, COSEINC (a Singapore company) is. COSEINC has largely flown under the public radar before today, though prior reporting from Joseph Cox of Motherboard/VICE identified the firm as a zero-day vendor in 2018. It appears likely that COSEINC was found to be selling exploits or collaborating with foreign intelligence organizations or cybercriminals to have gained such a designation on the Entity List.”Oliver Tavakoli, CTO at Vectra, said the sanctions are “mostly represent a speed bump for these companies” considering the murky business of supplying offensive cyber capabilities to governments across the world invariably leads these companies to make judgments on what constitutes “appropriate use” of the technologies and whether their clients can be trusted to honor the spirit of constraints — often expressed in vague terms referring to “threats” and “security” — written into contracts.”It’s pretty clear that most governments ignore those constraints and do what they believe to be in the self-interest of the government and its current leader, though the companies can then claim plausible deniability,” Tavakoli said.  More

CISA issued a new directive on Wednesday that forces federal civilian agencies to remediate at least 306 vulnerabilities commonly exploited during attacks. CISA officials emphasized that the catalog was focused on vulnerabilities they said were “causing harm now” but would also be used as a running list of prioritized vulnerabilities based on their evolving understanding of adversary activity.Each of the vulnerabilities has a different due date attached to them, with some due to be mitigated by November 17 and others set for May 3, 2022. Binding Operational Directive (BOD) 22-01 — titled “Reducing the Significant Risk of Known Exploited Vulnerabilities” — applies to all of the software and hardware found on federal information systems, according to the release. That includes vulnerabilities affecting both internet-facing and non-internet facing assets as well as those managed on an agency’s premises or hosted by third parties on an agency’s behalf.They urged private businesses and state, local, tribal and territorial governments specifically to address the vulnerabilities in the list and sign up to get notifications when new vulnerabilities are added. CISA Director Jen Easterly said that while the directive only applies to federal civilian agencies, all organizations should “prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations.””Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” Easterly said. “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities.” 

CISA noted that the deluge of available vulnerabilities discovered in 2020 alone was over 18,000, making it nearly impossible for organizations to keep up. The problem is exacerbated by the fact that most organizations have small IT teams ill-equipped to handle attacks perpetrated by veteran cybercriminals or nation-states.  The list features vulnerabilities from dozens of the largest technology companies, ranging from IBM, Oracle and Cisco to Apple, Microsoft, Adobe and Google.Rep. Jim Langevin, co-chair of the House Cybersecurity Caucus, said the directive would “go a long way towards strengthening network security and improving our federal cyber hygiene.”He noted that President Biden’s Cybersecurity Executive Order “includes important elements on Zero Trust, and CISA’s BOD is in line with that philosophy of not only looking at perimeter defense.”Ray Kelly, principal security engineer at NTT Application Security, said the catalog was ideal because it could be turned into an actionable list of tasks that can be tracked and verified by different departments.”Looking at the provided vulnerability catalog, it appears like a good mix of critical vulnerabilities that covers software, firmware and mobile devices,” Kelly said. “However, while there is good coverage of high impact vulnerabilities being addressed, its important to note that this doesn’t mean continuous assessments and vulnerability analysis should be stopped. Malicious actors will always be looking to take advantage of the next security gap in any organization.”While experts lauded the effort behind the directive, some said there were complex reasons why some things are not always patched.Chris Grove, chief security strategist at Nozomi Networks, works in the critical infrastructure arena and said that while the directive showed a “progressive approach to securing federal agencies in the next few months,” it could not be applied to critical infrastructure systems. “There are often legitimate reasons why things are not patched within many critical infrastructure environments. Most notably many turnkey ICS equipment vendors embed technologies within their product, which if forced to implement a patch could break the equipment,” Grove said. “In some of these cases, an update or patch may void the warranty and violate the manufacturers terms and conditions. Also, some updates require maintenance windows and planned outages. Many ICS entities only schedule downtime every 3-4 years. It’s impossible for them to keep up with patching.”Critical Insight CISO Mike Hamilton told ZDNet that what stood out most to him were the vulnerabilities that did not appear to be of high severity.The directive makes it clear that vulnerabilities that are rated medium and low can be “chained,” and that low severity issues cannot be ignored, Hamilton explained. “By setting this example for federal agencies and making the catalog widely available, there should be a knock-on effect in the private sector – both with receiving the message that low severity vulnerabilities must be managed, and by providing an explicit list of those known to be useful in exploit chaining,” Hamilton said.”A logical next step may be active scanning for vulnerable systems in the private sector — starting with critical infrastructure providers — and providing notifications for vulnerable exposures.” More

Here are some of Forrester’s most important predictions that will impact European privacy leaders’ planning for 2022: Employee backlash will grow as more employers monitor productivity 

In October 2020, almost one in three European employees said that their employers used software to monitor their productivity while working from home. Today, as companies launch new flexible work policies, software that allows employers to monitor employees’ productivity is gaining popularity worldwide. Companies that choose to deploy this technology today must prepare to manage the consequences in the next 12 months. Privacy regulators are already acting, and more action will happen in 2022 According to the General Data Protection Regulation enforcement tracker, fines and penalties for violations of an employee’s privacy are in the top five for total highest values. Across the top 10 single, highest fines issued so far, the violation of an employee’s privacy accounts for two of them. Regulators are investigating a variety of employee surveillance methods. In the case of retailer H&M, the regulator found that the employer systematically built and kept excessive and overly exposed records concerning employee personal and professional life. In the case of notebooksbilliger.de, the regulator concluded that the company recorded videos of its employees for an extended period of time without the appropriate legal basis. In the case of IKEA retail France, the company’s former CEO was served with a suspended, two-year prison sentence as part of the investigation against the brand for excessive and unlawful staff surveillance and data collection. Tattleware has become the newest method of employee monitoring. Regulators, take note. Employees will increasingly feel mistrusted and concerned Employee backlash will grow as employers attempt to monitor how often employees click, what they click on, and when they are facing their computers. Underestimating employees’ privacy attitude is a mistake. When it comes to sharing their personal data, our research shows that over 40% of employees across the UK, France, and Germany are comfortable sharing with their employer only the minimum required by law. The same number of French employees worry that their employer is collecting too much of their personal information. And a staggering 57% of French, 46% of UK, and 44% of German employees wish that they had a higher degree of privacy protection in the workplace. Finally, if their employer breached their trust, employees described their feelings as “betrayed” and “upset.” Tattleware adoption will degrade the employee experience, productivity, and security 

Feelings of betrayal and mistrust will have a negative impact on employees’ loyalty, engagement, and experience. Despite being an enormous risk, this is not the only one organizations face. Without adequate communication and transparent approaches, negative employee sentiment might also extend to other forms of workforce monitoring that have nothing to do with tattleware, such as insider threat programs. These programs, typically run by security teams to prevent exfiltration of sensitive data that often happens because of well-intentioned employees’ mistakes, will become more difficult to justify and adopt. Forrester predicts that, in response to increased regulatory scrutiny and more intense employee backlash against workforce monitoring, CISOs will reduce the scope of their insider threat programs — with adverse results. In fact, this will increase the company’s risk of insiders stealing data. Privacy, security, and employee experience professionals must act now to prevent business damage Privacy execs, CISOs, HR, and CIOs must join forces to ensure their workforce monitoring programs don’t damage their organization or their workforce’s productivity and engagement. They must strengthen the governance of their workforce monitoring activities, making sure they put in place clear and transparent communication with their employees, choose approaches that are never excessive or disproportionate, and ensure that they have the adequate legal basis in place before deploying any workforce monitoring technology. They must also work to educate their organization about the benefits of the program and ensure that employees understand the boundaries in place that prevent the disproportionate collecting, processing, and sharing of employees’ personal data. To understand all the major dynamics that will impact European businesses next year visit our Predictions 2022 hub. This post was written by Principal Analyst Enza Iannopollo and it originally appeared here.  More

Research into how rootkits are used by cybercriminals has revealed that close to half of campaigns are focused on compromising government systems. 

On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage. Rootkits are used to obtain privileges in an infected system, either at the kernel level or based on user modes, the latter of which is used by many software applications. Some rootkits may also combine both capabilities.  Once a rootkit has hooked into a machine, it may be used to hijack a PC, intercept system calls, replace software and processes, and they may also be part of a wider exploit kit containing other modules such as keyloggers, data theft malware, and cryptocurrency miners — with the rootkit set to disguise malicious activity.  However, rootkits are difficult to develop and may take both time and expense to do so — and as a result, the majority of rootkit-based attacks are linked to advanced persistent threat (APT) groups that have the resources and skill to develop this form of malware.  The researchers’ analysis sample was made up of 16 malware types; 38% being kernel-mode rootkits, 31% user-mode, and 31% combination-type rootkits. The majority of which in use today are designed to attack Windows systems.  According to Positive Technologies, there appears to be a general trend to user-mode rootkits in the exploit industry due to the difficulty of creating kernel-mode variants, and despite improvements in defense against rootkits in modern machines, they are often still successful in cyberattacks. 

“It takes a lot of time to develop or modify such a rootkit, and this can make working to time constraints difficult; you must be quick to exploit a vulnerability in a company’s perimeter before it is noticed and security updates are installed, or another group takes advantage of it,” Positive Technologies says. “Because of this attackers are used to acting quickly: it can take less than a day from the moment the exploit is identified to the first attempts to make use of it, and if a group does not have a reliable, ready-to-use tool, this time is clearly not enough to work on it.” In addition, the team says that any errors in the coding of a kernel-mode rootkit can lead to a machine’s destruction and permanent corruption, and so if a financial demand is being made — for example, by ransomware operators — then the harm caused would stop extortion attempts from being successful.  In 44% of cases documented since 2011, rootkits have been used to strike government agencies worldwide, followed by research and academic institutions in 38% of known campaigns.  Positive Technologies suggests that when rootkits are in play, their cost and development time require a high-value target: and in the majority of cases, the aim is data theft — although the goal is sometimes purely financial. In addition, rootkits are most often tracked to attacks against telecommunications companies, the manufacturing sector, and banks or financial services.  Rootkits may also be employed in targeted attacks against individuals, said to be “high-ranking officials, diplomats, and employees of victim organizations,” according to the researchers.  Commercially available rootkits often fetch a price of between $45,000 and $100,000, depending on the target operating system, terms of subscription, and features. 
Positive Technologies
“Despite the difficulties of developing such programs, every year we see the emergence of new versions of rootkits with a different operating mechanism to that of known malware,” commented Alexey Vishnyakov, Head of Malware Detection at the Positive Technologies Expert Security Center (PT ESC). “This indicates that cybercriminals are still developing tools to disguise malicious activity and coming up with new techniques for bypassing security — a new version of Windows appears, and malware developers immediately create rootkits for it. We expect rootkits to carry on being used by well-organized APT groups.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Dale Smith/CNET
The
SpotCam

is very similar to
the Ring

, but there are some differences. Overall, it’s not quite as good. There are some nice options, but does that make for a recommended purchase? Well…

Like all of the other competitors in the space, the SpotCam sends video to your phone when your doorbell is rung. My colleague Dale Smith over at our sister site, CNET, found that SpotCam notifications sometimes didn’t come through.  I had better results than Dale with my notifications. That’s probably because I immediately turned off the motion notification settings, since we live on a relatively high-traffic street. If I were to get a notification every time a car went by, I’d get nothing done. This is a good news, bad news kind of product. The good news is that the box includes a ringer that you can plug into any plug in your house. The ringer is not an add-on purchase. The bad news is that the SpotCam has spotty performance as a video doorbell. Here’s an example. I work upstairs. When someone rings the doorbell, I can hear the plug-in chime. But my phone doesn’t know there’s anyone at the door for about one-one-thousand, two-one-thousand, three-one-thousand, four-one-thousand, five-one-thousand, six-one-thou… now. That delay is annoying, but not a deal killer, especially since I can hear the downstairs chime. The big disappointment is the video part of the doorbell, as well as the response back to the person ringing the bell. More often than not, the person ringing the bell would leave before communication was established. It was that slow. It’s not my Wi-Fi. I have a couple of Wi-Fi-based cameras that track almost directly with real-time events (like, I hear a car door being shut and, a blink of the eye later, I see it on the camera). Not so with the SpotCam. The delay makes the video essentially worthless. I’m not alone in this observation. User comments and other reviewers have said the same thing.

The video image itself is reasonable at 1080p. Not great, but not too bad. I do like that it has an SD card that stores recordings, but the SD card is built into the unit itself, so if someone steals the unit, they’re also stealing your recordings. I also like that you can see who’s at the door through
an Echo Show

, if you have one. But… you can’t talk to anyone at your door through your Echo Show. It seems like such a missed opportunity. There is a 7-day cloud service, which is free, so that’s nice. And I like that it not only runs off of bell power and battery, but also has a traditional AC adapter. Not all walls have old-school bell power built into them. But is this worth buying? The gotcha is that it’s about the same price as its competitors, and it’s not quite as good as its competitors. If it was a lot cheaper, I’d say try it out. But since it’s in the same pricing class, I can’t give you a really compelling reason to choose the SpotCam 2 over all the other players in this increasingly crowded field. Are you using a video doorbell? What do you like about it? What model are you using? Talk to us in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More