Eliana Willis

ZDNet Recommends

Ransomware decryptors for the BlackByte, Atom Silo, LockFile and Babuk strains were released over the last two weeks, highlighting some amount of progress in the fight against a few of the smaller ransomware gangs.Last week, security company Avast released three decryptors, including ones for those affected by the AtomSilo, LockFile and Babuk ransomware. Cybersecurity firm Trustwave released a decryptor for the BlackByte ransomware two weeks ago.  Allan Liska, a ransomware expert with the Recorded Future security company, told ZDNet that while it often feels as though security teams are losing the fight against ransomware, there is progress being seen. “Since August, by my count, we have seen decryptors for BlackMatter, REvil, AtomSilo, Babuk, LockFile, BlackByte, Prometheus and Ragnarok (I’m probably missing some others),” Liska said.When asked why there was a recent wave of decryptors being released, Liska attributed it to a number of factors.”Security researchers at companies like Emsisoft are getting better at finding flaws in ransomware and writing decryptors. And, communication between security companies on ransomware is increasing, so we are sharing information privately that helps victims,” Liska said.”We can’t discount the impact that 10 law enforcement actions against ransomware groups is also having. These actions, like the ones recently, raise the cost of ransomware operations, and many third and fourth-tier ransomware groups are deciding it is no longer worth the risk. So, they ‘retire’ and release their keys, making it easier to create decryptors.”

BreachQuest CTO Jake Williams noted that each of the most recent ransomware decryptors released was enabled by operational security or programming mistakes made by the threat actors. Security teams, he added, had little to do with this recent wave of decryptors other than the possibility that they were getting better at operationalizing available data.”The LockFile/AtomSilo decryptor targets weaknesses in the implementation of the cryptographic algorithm used to encrypt the files. The same is true for BlackByte. In the case of Babuk, the decryptor was enabled by a source code dump in September. It’s worth noting that any encryptions performed by Babuk after the source code dump probably can’t be decrypted by the tool. This is because the master key has been changed after leaking in the dump,” Williams explained.When asked which recent decryptor would be the most consequential, Williams said that without a doubt, it would be Babuk. “This wasn’t enabled by any cryptographic weaknesses and instead required a leak. The fact that the ransomware source code leaked at all is likely driving anxiety in the ransomware operator community, which in recent months has also seen the leak of the Conti ransomware affiliate handbook and successful law enforcement action against REvil,” Williams told ZDNet. Like Digital Shadows’ Ivan Righi, other experts said malware analysts are improving and capitalizing on mistakes or weaknesses in threat actors’ encryption processes. Ransomware has been a big focus for many security teams in 2020 and 2021, and the more resources that are invested into fighting against ransomware, the smaller the room for mistakes is from a cybercriminal’s perspective, Righi said. Over the last few years, the wealth brought in by certain ransomware gangs has attracted multiple threat actors, some of whom are not as sophisticated as others.”As the number of ransomware variants continues to pile up, it is no surprise that we will begin to find weaknesses in some of these ransomware variants, which may allow for decryption keys to be extracted,” Righi said. Of all the decryptors released over the past few months, the universal decryptor for victims of the Kaseya VSA supply-chain attack stood out most to Righi.Released in September by Bitdefender, the universal decryptor only works for REvil/Sodinokibi victims infected before July 13, 2021. Hundreds of victims were helped with the decryptor after the group went dark yet again last month. It was later revealed that law enforcement officials from multiple countries were involved in disrupting the REvil ransomware gang.But Righi noted that just because a decryptor is released, that doesn’t mean a ransomware gang is necessarily finished. “The release of a decryptor for a ransomware variant does not mean the end of that ransomware group. DarkSide had a decryptor released in January 2021, but the group simply improved its tools and continued attacks until May 2021, when the Colonial Pipeline attack occurred,” Righi said. “However, the release of decryptors may damage a group’s reputation and ability to attract new affiliates.” More

In Forrester’s Predictions blog last year, our security team talked about 2021 as “the transition to a new normal.” It hasn’t quite worked out that way — as the Delta variant spread and lockdowns reappeared, employees who had flirted with heading back to the office found themselves joining remote meetings from home just like before. As we look forward to 2022, a theme emerges: securing relationships. Uncertainty has accelerated reliance on each other, and gaps in third-party relationships, collaboration, and trust will have outsized impacts on firms’ relationships with their colleagues, partners, and suppliers.  For cybersecurity, here’s what we expect to see in 2022: Sixty percent of security incidents will result from issues with third parties. In 2020, 27.8% of organizations reported 20 or more supply chain disruptions, and executives have uttered the phrase “supply chain” over 3,000 times on S&P 500 earnings calls, compared to 2,100 times all of last year. A quick look at Google Trends reveals that searches for “supply chain” have peaked just in the last couple of weeks. With cyberattacks targeting smaller vendors and suppliers, third-party incidents will increase and SolarWinds-style headlines will plague firms that don’t invest in the risk management trifecta: people, process, and technology. Security brain drain sets in as one in 10 experienced security pros exit the industry. Two million women have left the US labor force during the pandemic according to data from the US Labor Department, roughly twice as many as men. That’s a sobering trend for an industry like cybersecurity which is already struggling with diversity, equity, and inclusion as well as burnout. Data in a 2021 study from VMware shows that 51% of cybersecurity professionals experienced extreme stress or burnout over the past twelve months. CISOs must tackle the problems of burnout and team culture while using succession planning to build a pipeline of future security leaders. At least one security vendor collapses in an Enron-Theranos-esque scandal. Eighteen cybersecurity vendors reached unicorn status in the first half of 2021, compared to only six the entire previous year. For context, a year before Cisco acquired Duo Security, Duo’s most recent valuation had put it just above unicorn status at $1.17 billion. With the explosion of investment activity in cybersecurity, we expect “accounting irregularities” will bring at least one cybersecurity vendor down in 2022. The fallout creates risks for CISOs. To reduce these risks, when working with early-stage security startups, consider adding a second vendor for redundancy, and take a cautious approach to case studies and other mentions of your brand.Learn more about Forrester’s predictions here.This post was written by Vice President, Principal Analyst Jeff Pollard and it originally appeared here. More

If you’re using the Rust programming language — or JavaScript, Java, Go or Python — in a project, you may want to check for potential differences between reviewed code versus the compiled code that’s been output. The Rust Security Response working group (WG) has flagged a strange security vulnerability that is being tracked as CVE-2021-42574 and is urging developers to upgrade Rust version 1.56.1. News of the obscure bug was disseminated in a mailing list today. The Rust project has also flagged the Unicode “bidirectional override” issue in a blogpost. But it’s a general bug that doesn’t affect just Rust but all code that’s written in popular languages that use Unicode.  Since it is Unicode, this bug affects not just Rust but other top languages, such as Java, JavaScript, Python, C-based languages and code written in other modern languages, according to security researcher Ross Anderson. Open-source projects such as operating systems often rely on human review of all new code to detect any potentially malicious contributions by volunteers. But the security researchers at Cambridge University said they have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. “We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic. We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages,” writes Anderson, detailing this bug and a similar “homoglyph” issue tracked as CVE-2021-42694.”The trick is to use Unicode control characters to reorder tokens in source code at the encoding level. These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens. Compilers and interpreters adhere to the logical ordering of source code, not the visual order,” the researchers said. The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic.

Software development is international and Unicode — a foundation for text and emoji — supports left-to-right languages, such as English, and right-to-left languages, such as Persian. It does this through “bidirectional override”, an invisible feature called a codepoint that enables embedding left-to-right words inside a right-to-left sentence and vice versa. While they’re normally used to embed a word inside a sentence constructed in the reverse direction, Anderson and Microsoft security researcher Nicholas Boucher discovered that they could be used to change how source code is displayed in certain editors and code review tools. It means that reviewed code can be different than the compiled code and shows how organizations could be hacked through tampered open-source code. “This attack is particularly powerful within the context of software supply chains. If an adversary successfully commits targeted vulnerabilities into open source code by deceiving human reviewers, downstream software will likely inherit the vulnerability,” the researchers warn.Google has found that open-source software supply chain attacks have escalated in the past year. Rust isn’t a widely used programming language, but it has been adopted for systems (versus application) programming by Google, Facebook, Microsoft, Amazon Web Services (AWS) and more for its memory-related safety guarantees. “Rust 1.56.1 introduces two new lints to detect and reject code containing the affected codepoints. Rust 1.0.0 through Rust 1.56.0 do not include such lints, leaving your source code vulnerable to this attack if you do not perform out-of-band checks for the presence of those codepoints,” the Rust project said. The Rust project analyzed its add-on software packages, dubbed “crates” — it reviewed everything published on crates.io from 17 October 2021 — and determined that five crates have the affected codepoints in their source code. However, it didn’t find any malicious codepoints. More

Apple has patched a security flaw in macOS that Microsoft researchers found could be used to install a malicious kernel driver, otherwise known as a ‘rootkit’.  

ZDNet Recommends

The flaw resided within macOS System Integrity Protection (SIP). The glitch allowed a potential attacker to install a hardware interface that allows them to “overwrite system files, or install persistent, undetectable malware”.   The discovery reflects Microsoft’s increased focus on enterprise customers that use a mix of Windows and macOS under hybrid work arrangements, which is evidenced by products like its cross-platform security product, Microsoft Defender for Endpoint. Microsoft introduced Defender ATP for Macs in 2019, well before the pandemic pushed everyone to the hardware they used at home. See also: Ransomware: It’s a ‘golden era’ for cybercriminals – and it could get worse before it gets better. “This OS-level vulnerability and others that will inevitably be uncovered add to the growing number of possible attack vectors for attackers to exploit,” explains Jonathan Bar-Or, from the Microsoft 365 Defender Research team.  “As networks become increasingly heterogeneous, the number of threats that attempt to compromise non-Windows devices also increases.” SIP, aka ‘rootless’, locks down the system from the root by using Apple’s sandbox to protect macOS. It contains several memory-based variables that shouldn’t be able to be modified in non-recovery mode. But SIP can be turned off after booting into recovery mode, allowing an attacker to bypass SIP protections.

“Over the years, Apple has hardened SIP against attacks by improving restrictions,” writes Or.  “One of the most notable SIP restrictions is the filesystem restriction. This is especially important for red teamers and malicious actors, as the amount of damage one can do to a device’s critical components is directly based on their ability to write unrestricted data to disk.” The flaw Microsoft found in Apple’s SIP restrictions was related to system updates, which require unrestricted access to SIP-protected directories. Apple “introduced a particular set of entitlements that bypass SIP checks by design,” writes Or.  Apple patched the flaw, tracked as CVE-2021-30892, in macOS Monterey 12.0.1, as well as updates for Catalina and Big Sur. SIP vulnerabilities aren’t new, but Microsoft decided the bug was serious enough to warrant the name “shrootless”. “While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether,” explains Or.  See also: Cloud security in 2021: A business guide to essential tools and best practices. Microsoft, of course, argues this flaw warrants Defender for Endpoint’s behavioral analytics capabilities to protect Macs in the enterprise.  Apple patched dozens more serious bugs in its latest update for macOS Monterey and earlier. Taking a step back, Microsoft’s post touches on a decades-old debate about whether Macs need antivirus and the two companies’ respective approaches to that question.  Macs, in Apple’s view, don’t need antivirus, whereas Windows PCs do. Apple has used the rise of malware targeting macOS in its arguments against Fortnite-maker Epic Games, for example. And Microsoft this year hired Justin Long, the face of the “Get A Mac” campaigns that once focused on malware targeting Windows PCs but not Macs. But in the enterprise in 2021, where Macs are ascending, work is hybrid, and state-sponsored hackers are looking for every entry point, it’s clear that security threats continue to evolve. More

Image: Getty Images
Signal has released the details of a search warrant it received from police in Santa Clara, California, unveiling the efforts US law enforcement authorities will undertake to force online platforms into disclosing the personal information of their users.In the search warrant, Santa Clara Police sought to get the name, street address, telephone number, and email address of a specific Signal user. It also wanted billing records, the dates of when the account was opened and registered, inbound and outbound call detail records, voicemails, video calls, emails, text messages, IP addresses along with dates and times for each login, and even all dates and times the user connected to Signal.In response to the search warrant, Signal provided law enforcement authorities with timestamps regarding the account specified in the search warrant. The timestamps showed the dates that the account last connected to Signal.Signal said in a blog post that, by default, it does not collect the requested information from users.  “As usual, we couldn’t provide any of that. It’s impossible to turn over data that we never had access to in the first place. Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for,” Signal wrote in the blog post.The company’s interaction with Santa Clara County police didn’t end there, however, as the law enforcement authorities then issued a non-disclosure order that required Signal to not publicly disclose that it received the search warrant. The non-disclosure order was then extended four times, which resulted in Signal’s request to unseal the search warrant being repeatedly pushed back. In total, it took Signal almost a full year before the company was able to legally publicly disclose the process it underwent when it received the search warrant.

“Though the judge approved four consecutive non-disclosure orders, the court never acknowledged receipt of our motion to partially unseal, nor scheduled a hearing, and would not return counsel’s phone calls seeking to schedule a hearing,” Signal wrote.Law enforcement authorities around the world are increasingly finding ways to compel online platforms to hand over information about their users. Just last month, hosted email service provider ProtonMail publicly disclosed that French authorities were able to acquire the IP address of one of its users through getting approval from Swiss courts. This was despite ProtonMail not being subject to French or EU requests, and only being required to comply with requests from Swiss authorities.In response to the order, ProtonMail CEO and founder Andy Yen said all companies have to comply with laws, such as court orders, if they operate within 15 miles of land.”No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law,” Yen said at the time.Democracy advocate Freedom House last month also published findings that indicate a growing number of governments are forcing tech businesses to comply with online censorship and surveillance. Freedom House said in the past year alone, 48 out of 70 countries covered in its research — which accounted for 88% of the world’s internet users — have pursued new rules for tech companies on content, data, or competition over the past year.RELATED COVERAGE More

Image: Audit Office of New South Wales
The cybersecurity policy for New South Wales government agencies is not sufficiently robust which is a cause for “significant concern”, according to the state’s auditor-general Margaret Crawford. “Key elements to strengthen cybersecurity governance, controls, and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW government agencies,” the auditor-general wrote in a compliance report [PDF] about the state’s cybersecurity capabilities. The audit assessed whether nine of the state’s lead cluster agencies — Premier and Cabinet, Communities and Justice, Customer Service, Education, Planning, Regional NSW, Health, Treasury, and Transport — had provided accurate reporting on their level of maturity in implementing the requirements of the state’s cybersecurity policy. Of these agencies, none of them have implemented all of the Essential Eight controls at level one, with the auditor-general saying that all organisations at a baseline should be at level three. She added that all agencies failed to reach even level one maturity for at least three of the Essential Eight strategies. Seven of the nine participating agencies also reported levels of maturity regarding cybersecurity policy and the Essential Eight that were not supported by evidence. “Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential Eight controls,” Crawford wrote in the report.

Crawford warned that overstating the effectiveness of an agency’s cybersecurity capabilities could undermine the ability to address cyber risks and ultimately expose them to cyber attacks. Outside of the nine agencies that received close scrutiny, the data of 95 other state agencies were also reviewed by the auditor-general. In total, of the 104 agencies reviewed in the audit, only five self-assessed that they had implemented all of the mandatory requirements at level three or above. 14 agencies self-assessed that they had implemented each of the Essential Eight controls at level one maturity or higher, while the remainder reported at level zero for implementation of one or more of the Essential Eight controls.  These levels are similar to those reported in 2019 and 2020, with the auditor-general saying better leadership and resourcing would be required if there is to be significant improvement in agency cybersecurity capability. Crawford said the agencies were not the only ones to blame for this lack of progress, however, criticising the cybersecurity policy itself for allowing agencies to determine what are “mandatory requirements” when addressing cybersecurity risks. Unlike cybersecurity policies from comparable jurisdictions, the one in NSW lacks a requirement for agency heads to demonstrate reasons for not implementing protocols from the policy. The NSW cybersecurity policy also does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk. There is also currently no requirement for NSW agencies to implement the “top four” controls of the Essential Eight strategies to any designated level of maturity, which are application whitelisting, patching applications, patching operating systems, and restricting administrative privileges. The auditor-general also expressed concern for the lack of systematised and formal monitoring, by either Cyber Security NSW or another agency, of the adequacy or accuracy of agencies’ cyber self-assessment processes. Late last year, the NSW audit office found that Service NSW did not effectively handle private information, as a result of the agency experiencing a phishing attack where 47 staff email accounts were compromised. All up, the breach was said to have impacted 186,000 customers and exposed up to 738GB of customer information contained within 3.8 million documents. Related Coverage More