Eliana Willis

Businesses in industrial goods and services are still the most popular target for ransomware attacks, but cyber criminals are increasingly diversifying which organisations they’re extorting.  Ransomware has become a major cybersecurity issue, as cyber criminals infiltrate networks and encrypt servers and files before demanding a ransom payment – often amounting to millions of dollars in cryptocurrencies – in exchange for the decryption key.  In a significant number of cases, the victim will give in to the demands and pay the ransom. This might be because they don’t have back-ups, because the criminals threaten to leak stolen data if they’re not paid, or simply because the victim perceives paying to the ransom be the quickest means of restoring the network. Yet in reality, even with the correct decryption key, services can remain disrupted for a long time after the event.  In an analysis of hundreds of reported ransomware attacks between July and September this year, cybersecurity researchers at Digital Shadows found that industrial goods and services was the most commonly reported sector, accounting for almost double the number of incidents that affected the second most affected industry – technology.  One of the most significant ransomware attacks this year affected an industrial environment, when Colonial Pipeline fell victim to DarkSide ransomware.  The cyber attack led to a shortage of gas for much of the United States east coast and people rushed to stockpile gas. The company ended up paying a ransom of millions of dollars to restore the network.  SEE: A winning strategy for cybersecurity (ZDNet special report)    Industrial environments are a popular target for ransomware cyber criminals because if a product or service can’t be produced or delivered, it affects customers – and the bottom line. As such, many companies opt to pay to get services up and running again quickly.

“Companies within the industrial goods and services sector are commonly targeted due to their sensitivity to prolonged outages; manufacturers often need to be working 24/7,” Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows told ZDNet.  “Even the slightest outage can significantly impact the target’s supply chain. Many companies within this sector—and other sectors like construction and agriculture—rely on technology to provide automation. Without this technology, productivity grinds to a halt.” In addition, industrial environments are often running on technology that make them easy pickings for ransomware gangs. This can range from relying on old, out-of-date software that doesn’t receive security updates, to using much newer, Internet of Things connected devices and sensors that can be exploited by cyber criminals to access a network.  While it won’t do away with the threat entirely, businesses can take steps to avoid falling victim to cyber attacks, such as applying security updates in a timely manner and applying multi-factor authentication. Diversifying targets While industrial environments remain the top target for ransomware attacks, there was a reduction in the number of attacks against them during the last quarter as cyber criminals diversified their targets. The research by Digital Shadows found that the technology industry was the second most targeted during the reporting period. The most significant attack on this sector in recent months was against Kaseya, an IT solutions provider, which was targeted in a supply chain attack that affected thousands of companies around the world.   SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay up  Other common ransomware targets include construction, financial services and legal services, as well as food and drink companies, all of which possess vital systems or data that criminals can leverage to coerce victims into paying the ransom.  Researchers warn that the expansion in sectors being targeted could be due to the emergence of new ransomware groups and increased competition amongst gangs. “The diversification of targets likely comes naturally as a result of the ransomware market becoming more saturated,” said Morgan.  “Digital Shadows currently tracks 35 data-leak sites operated by distinct ransomware groups, and while this number fluctuates regularly, it is highly likely to increase in 2022. With more groups needing more victims to target, new sectors will come into the firing line of this type of activity.”
MORE ON CYBERSECURITY More

Market, technology, and legislative trends have created needs across all industry verticals to create and consume APIs. The mandate of an API economy is clear — the question that IT leaders must answer is not “if”, but “how?”

ZDNet Recommends

Having been around for decades, APIs today define the new normal. They decompose software monoliths and transform businesses by bridging the gap between new and old applications. More companies are funding digital transformational programs with APIs at the core of their strategy. IDC predicts that overall spending on these projects will reach a historic high totaling $6.8 trillion between 2020 and 2023. It is worth pointing out that this trend not only touches software companies but also applies to all industry verticals as well. In industries where API-led regulations are now standard, such as Europe’s PSD2 open banking standard in financial services or FHIR for the exchange of patient information in healthcare, the digital transformation trend is accelerating. “Every company needs to become a software company” according to Twilio CEO Jeff Lawson. The API boom is here and it is happening now. With over 24,000 APIs offered by firms today according to Programmableweb.com, it is important to carefully consider what is entailed in a successful API strategy. In the next section, we will summarize the keys to success in the API economy, distilling key trends into lessons that integration professionals and CIOs should think about before implementing an API.Keys to a Successful API StrategyAs it turns out, there is a lot more to building great APIs than simply coding. Teams must also wear a product management hat throughout the API lifecycle. When treating your APIs as products, the API strategy is derived from business value, customer needs, and core technology. Let’s get into each of these areas in detail.1. Know the Business Value”The most important thing, the very first piece is to figure out what your business value is. If you don’t know why you have an API, it’s not likely to succeed,” says Kristien Hunter, author of Irresistible APIs. 

To start, let’s take a look at API business models and what kind of value they create:Internal API: private, used only by your team or by your company. This API results in indirect revenue or cost savings, for example, a team that can self-service their needs in large organizations.Partner/customer API: private, shared only with integration partners. This API creates shared or marketed revenue so other technologies in the space can complement each other. External API: public, available openly on the web. This type of API often generates direct revenue with multiple monetization strategies. For example, if it’s a transactional API, the API provider may take a percentage cut of the transaction. Or, if it’s a utility API, the API provider may look to a “coin-operated” model that charges a fixed rate depending on the number of API transactions.In the 2020 State of the API report, API-first companies indicate that they allocate on average 56.96% of their APIs to address internal use-cases. According to this data, it is important to prioritize value-add over monetization, especially towards the beginning of building an API strategy. Many businesses start with internal APIs first and later make parts of their APIs publicly available, and in some cases, these external APIs become a huge revenue generator for the business. For example, Harvard Business Review points out how Expedia.com generates 90% of its revenue from APIs.It is also worth pointing out that APIs enable new business models to evolve. Multiple companies are now pioneering the new Business to Developer (B2D) model which creates pluggable value to other companies by focusing on developers first. When starting a new business, founders might want to consider this model.2. Know Your CustomerThe second key to success is knowing your customer. Companies must study current and potential users to see what they need and want. A common mindset while building an API is that once you build it, your users will follow. There is, however, a better approach that involves building an API with your users, involving them as design partners. Early design partnerships help your team identify key use-cases, understand the skills of your API users, and most importantly, validate that your API is delivering value to your customers. Engaging your API consumers early enables your team to refine API design based on the feedback from beta testers. Based on the 2021 The State of API Economy Report conducted by Google, APIs enable organizations to speed up new application development (58%), connect internal applications (53%), and create a developer ecosystem (47%). These are top examples of value creation for your API customers, whether they come from an internal team seeking self-service or outside developers who innovate on top of your public API.Knowing the skills of your users is another critical area as it provides your API consumers with the most relevant tools. Postman’s 2020 State of the API report indicates that full-stack developers are the most common API consumer, accounting for nearly 29% of all survey responses. However, with the advent of low-code and no-code tools, there is also an increasing number of less technical job functions starting to consume APIs, such as directors, managers, product managers, support, and UX designers. In organizations where this is happening, APIs are essentially the key to democratizing innovation and taking some of the burdens off of IT. Depending on who your users are, consider complementing your API documentation with pre-packaged SDKs or native iPaaS connectors, which can be embedded into familiar integrated development environments (IDEs) to help your users get started quickly. Finally, regardless of where your API consumers come from, carefully design zero trust architectures and create API gateways that manage access to your most valuable data. Security magazine reports that 91% of organizations had an API security incident last year while leading analyst Gartner, predicts that APIs will be the most common attack vector by 2022.3. Treat Your API as a ProductOnce you know the business value and the customers you are serving, it is time to build your API. Start by applying a product mindset while offering the best-in-class API to your users. Top-notch API Documentation:  According to the 2020 State of the API Report, one of the most important factors individuals consider before integration with an API is documentation (70.3%). When crafting your API documentation, take advantage of standard API description formats such as the OpenAPI Specification (OAS) and tools that automatically generate API documentation from these formats. Instead of creating a laundry list of API operations and technical information, embed real-world API use cases into the API portal that developers use to not only onboard themselves to your APIs, but to make their first API call. This helps developers get started quickly and helps business managers see what kind of products can be built around your API. Sandboxes: Create sandbox environments that allow your API users to kick the tires of your APIs in non-production environments. With sandboxes, developers can start experimenting within minutes of arriving at your API portal without a need to engage with outside teams. “I saw an example literally last week with a customer that was 40 minutes into their welcome meeting with us, where the engineer was already developing and coding in a sandbox against the API,” says Bryson Koehler who joined Equifax as CTO to lead $1.5 billion digital transformation efforts.API Launch: Just like any product launch, carefully design a marketing strategy segmenting your audience and target those segments with the most relevant content. Create advocates and recruit top developers from across the developer community to evangelize the benefits of your APIs. According to HackerEarth’s study, hackathons can be one of the most effective methods to acquire and engage developers for your external APIs. A well-marketed and well-executed hackathon can attract between 1500 to 3000+ developers. Support: Consider overhead that goes along with supporting an API. For example, can developers contact a human for support or should they engage in the developer community to seek answers? Internally, the feedback cycles and the information exchange are quick. But when serving outside developers, creating an incentivized community of developers is key. Start by establishing channels that allow API users to point out mistakes and ask questions. Some practices include direct feedback links in API documentation where developers can contribute to your API instead of reporting a new bug. Measure success Finally, every product manager sets key performance indicators (KPIs), which help your team monitor API health and connect its adoption with the value it generates for the business. Below are the minimum set of metrics each API owner should keep in mind:Revenue metrics, such as ROI and customer lifetime value (CLTV) per developer. Operational metrics, such as uptime and errors. Developer metrics, such as net promoter score (NPS) for measuring loyalty. Also, through your web analytics, community, and documentation engagement.Successful API-first StoriesNow that we know what it takes to build a successful API, let’s take a look at a few best-in-class API-led examples. TwilioAPI model: External API with a coin-operated business model (eg: $0.0075 to send or receive an SMS text message to a mobile phone that’s provisioned by any carrier)Twilio is a great example of a company that pioneered the API economy. During his pitch in 2008, Jeff Lawson, the CEO of Twilio, said “We have taken the entire messy and complex world of telephony and reduced it to five API calls.” Since that year, Twilio reached a market cap of $57.7 billion. Before starting Twilio, Lawson was a technical product manager at Amazon where he saw how APIs transformed the Amazon business by launching AWS as another critical business. What makes Twilio APIs unique is the full page of real-world examples on how to use the API with complete SDKs that are pluggable into a variety of popular programming languages, such as Java and Node.js.StripeAPI model: External API with transaction fee e.g. 2.9% + $0.3 per credit card chargeStripe is a suite of payment APIs that powers commerce for online businesses. The company was founded in 2010 and is currently valued at $95 billion. When sharing the success story and key strategies, Patrick Collison, co-founder of Stripe, says “Every single API request that generated an error, went to all of our inboxes and phoned all of us.”What made Stripe so successful is a more flexible and robust payments platform. Instead of building payment transaction infrastructure in-house, companies now can integrate with Stripe’s platform via an API. “Because Stripe handles all of our transaction flows, we didn’t have to create an infrastructure for it or hire the people to do that. So that saved us in headcount, and it got us to market faster. We built our platform with at most three engineers working on it at one time.” reported one of Stripe’s customers in the IDC report.Human APIAPI model: Customer APIs with multiple pricing tiers (e.g. Clinical API, Enterprise API)API success stories emerge in other industries too. Once COVID-19 unfolded, the healthcare institutions needed to quickly reinvent themselves, and Human API illustrated the best API-first approach to healthcare. According to the announcement, CLEARED4 & Human API teams partnered to deliver real-time test data to organizations that can access their employee’s COVID-19 data in real-time from over 5,000 labs including Quest Diagnostics, Lab Corps and CVS.”We knew accessing COVID-19 test results in real-time would be critical to a safe reopening of workplaces and venues across the country,” said Ashley John Heather, President & COO of CLEARED4. The “library of healthcare APIs” enabled Ashley’s team to seamlessly and quickly integrate COVID-19 test results into their return-to-work platform.ConclusionAPIs are the new normal. They offer a lot of potential, drive innovation, save cost, and allow developers to self-serve their needs. A successful API strategy is the key to creating business value and turning a business into a platform. The strategy starts with a product mindset that sits at the intersection of business, customers, and technology. Figuring this out early fosters your business, delights customers, recruits partners, and enables your teams to quickly respond to emerging needs.  More

The camera lies all the time.
Image: iStock/ Borislav
Technology erodes trust.

That’s my philosophical thought of the day. The more humans have become embedded in technology’s core, the more it’s turned them into paranoid spies. Spy cameras and other software now seem de rigueur for companies. They want to spy on you in the office. They even want to spy on you when you’re working from home. Trust you to do your job? What do you think this is, 1982? I was moved to significant raptures, then, by a story told by a warehouse employee. Taking to Reddit, he offered a texted exchange between him and his boss. 

The boss wasn’t happy. They began: “Good evening.” Your boss is texting you in the evening? Quite the definition of ugly. Continued the boss: “I was reviewing the cameras from our shift today and noticed that you were sitting on a stool for the majority of your shift. This is completely unacceptable behavior and we will be discussing it tomorrow before shift.” The boss has a way with words, certainly. A way that may encourage some to offer him a less than sly headbutt. His employee offered a rather more factual response: “I cleared it with [Lead’s name]. I have 2 broken bones in my left foot (doctor documented).” He went on to describe how the warehouse has packing rankings on public display. His efforts that day had placed him first. “So just to be clear,” he wondered. “My impressive performance was overshadowed by the fact that I wasn’t uncomfortable enough doing it?” You’ll be stunned into the stupor of a thousand beers when I tell you his boss replied: “I’m really not appreciating your attitude.” He added, so wisely: “This type of behavior isn’t going to get you anywhere here.” Oh Lordy.  The employee felt forced to respond: “Hey, thanks for wasting my precious off time with some garbage you didn’t bother to investigate beforehand.” He went on to observe that it wasn’t any wonder that the company had difficulties retaining staff. And then the words that so many have wanted to utter at least once in their lives: “I’m not concered with going ‘anywhere’ there. It’s a toxic environment with ignorant people at the helm. I won’t be in tomorrow or ever again.” I pause for your cheering. Especially as the boss actually texted him back, begging him not to be so hasty (Response: “No thanks. have a good life.”) It’s worth also pausing, though, to consider just how much spy cameras increase productivity.  They clearly engender both fear and suspicion. It’s not just who is watching me, but how much are they watching? And if the people who install them draw conclusions simply from what they (think they) see, rather than, say, from learning about what people actually do, then perhaps it’s time to take out the cameras and trust the humans — both management and employees — to do their jobs well. Perhaps, without spy cameras, they might care more. They might give more, too. Our hero came back to Reddit to offer a few follow-up thoughts.  He said, in part: “There are opportunities out there. Don’t settle for being treated as less than human. We are better than that. We are what makes the world go round. It doesn’t matter what they are selling if there is no one to man the stores, answer the phones, or take out the garbage. Their dreams hinge on us more so than ours do on them.” More

Microsoft has warned that Nobelium, the hacking group behind the SolarWinds fiasco, has targeted at least 140 resellers and technology service providers in global IT supply chains.

On October 24, Tom Burt, Microsoft Corporate Vice President of Customer Security & Trust said in an advisory that the advanced persistent threat (APT) group, of Russian origin, has now pivoted to software and cloud service resellers in order to “piggyback on any direct access that resellers may have to their customers’ IT systems.”The Redmond giant says that Nobelium’s latest campaign was spotted in May this year and no less than 140 companies have been targeted, with 14 confirmed cases of compromise.  Nobelium was responsible for the SolarWinds breach, disclosed by Microsoft and FireEye (now known as Mandiant) in December 2020. SolarWinds systems were breached and an update for Orion software was poisoned and later deployed to approximately 18,000 customers.  The APT then selected a small number of high-profile targets to exploit, including Microsoft, FireEye, the Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Agency (CISA), and the US Treasury. After the malicious update was pushed through SolarWind’s legitimate channels, malware was planted on these systems, including the Sunburst/Solorigate backdoor.

Microsoft estimates that the feat may have taken the efforts of up to 1,000 engineers. However, the latest wave of attacks does not appear to make use of any specific vulnerabilities or security flaws; instead, the group is relying on spray-and-pray credential stuffing, phishing, API abuse, and token theft in attempts to obtain account credentials and privileged access to victims’ systems.   The new campaign is part of the Russian threat actors’ wider activities. Between July 1 and October 19, Microsoft has warned 609 customers of 22,868 hacking attempts, although the company notes that success is in the “low single digits.” Prior to July 1, Microsoft alerted customers to overall nation-state hacker attack attempts a total of 20,500 times, including a past phishing campaign launched by Nobelium that impersonated USAID. “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and [to] establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Microsoft commented. “Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful.” Microsoft has informed all impacted vendors and has also released technical guidance outlining how Nobelium attempts to move laterally across networks to reach downstream customers.  In a statement, Mandiant SVP and CTO, Charles Carmakal said the firm has investigated multiple cases of suspected Russian cyberattacks, of which supply chain relationships between technology providers and customers have been exploited.  “While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government,” Carmakal commented. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

UK supermarket giant Tesco has restored access to its website and app after an outage struck the service on Saturday, preventing customers from ordering or cancelling deliveries until Sunday evening.In a statement to The Guardian, Tesco said that “an attempt was made to interfere with our systems, which caused problems with the search function on the site.”

ZDNet Recommends

The retailer, whose 1.3 million online orders per week account for nearly 15% of its UK sales, said there was no reason to believe the attempted interference impacted customer data. SEE: These stealthy hackers avoid Windows but target Linux as they look to steal phone dataTesco confirmed on Sunday evening that its website and app were now restored, but that it was using a virtual waiting room to handle a backlog in orders.  “Our groceries website and app are back up and running. To help us manage the high volume we’re temporarily using a virtual waiting room. We’re really sorry for any inconvenience and thank you for your patience,” Tesco said on Twitter. Tesco Bank was fined £16.4m by the UK’s Financial Conduct Authority (FCA) over a 2016 incident in which cyber attackers stole £2.26m from 9,000 customers. The FCA found multiple flaws in the design of its debit card system. For example, Tesco Bank inadvertently issued debit cards with sequential primary account numbers (PANs). The company was also criticised for its slow response to the fraudulent transactions. 

Tesco grocery customers have complained about its handling of orders and cancellations during the website outage. Some customers said they were told on Saturday to cancel their orders, but subsequently were informed Tesco was unable to access or change any orders. Other customers reported on social media they were trying to beat the 11:45pm cut-off time to cancel orders after placing orders with rival supermarkets.  

Yesterday you said to send a DM to cancel my order due today. Today I get a reply to say its not possible. I understand you still have IT issues but much as I love Gin I don’t need 2 bottles & some crisps this evening, when @asda saved the day with actual food this morning! pic.twitter.com/53Lg7bijGW— Sara Willman (@myflowerpatch) October 24, 2021

In the US, the FBI recently warned that the food and agriculture sector was increasingly the focus of ransomware attacks that threatened to disrupt the food supply chain. It followed an attack on global meatpacking business JBS, which paid the attackers $11 million to restore access to encrypted data.   Swedish grocery chain Coop was unable to take card payments at its stores for three days earlier this year after ransomware attackers targeted managed IT service providers via a tainted software update to Kaseya’s products.Tesco last year reissued 600,000 Clubcard cards after discovering a security issue that allowed attackers to use credentials from other platforms on its own websites to redeem vouchers. An increasingly common attack is known as password spraying, where lists of commonly used passwords are used to gain access to other unrelated accounts.  More

South Korea telco KT said on Monday that the temporary nationwide shutdown of its network earlier today was caused by a large-scale distributed denial-of-service (DDoS) attack. Customers who use the telco’s network were unable to access the internet for around 40 minutes at around 11am on Monday. Users were unable to use credit cards, trade stocks, or access online apps during that time period. Some large commercial websites were also shut down during the outage. General access to the internet has since been restored for KT users in most areas of the country.  A KT spokesperson said the telco’s network was shut down due to a large-scale DDoS attack. They said that, during the outage, the company’s crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack, the KT spokesperson added. Federal police and the Ministry of Science and ICT said they were also looking into the matter in collaboration with KT. The ministry did not confirm that the network failure was caused by a DDoS attack, but it said the other major telcos SK Telecom and LG Uplus were not affected.

Despite not being victims of the DDoS attack, users of SK Telecom and LG Uplus’ services voiced complaints on social media about these telcos having network failures. Spokespeople for these telcos said the network failures were due to a sudden surge of traffic from KT users shifting onto their services due to KT’s internet outage. Both SK Telecom and LG Uplus representatives said they would be monitoring the situation closely. Related Coverage More

Image: ACT Policing
The Australian Federal Police is conducting an internal review to implement a new cyber offensive arm, AFP commissioner Reece Kershaw said at Senate Estimates on Monday morning. “At the moment, we’re actually going through an internal review of how we can be more aggressive in cyber, and it may mean a mini restructure internally for us to really have what we would call a cyber offensive operation of the AFP, which would actually conduct disruption operations on these individuals,” he said Kershaw said this process has included talking with the Five Eyes alliance about the growth of cyberthreats. Kershaw is currently the chair of Five Eyes’ law enforcement group. Throughout his testimony at Senate Estimates, Kershaw explained that the powers given to the AFP through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which passed earlier this year, would allow its cyber offensive capabilities to increase across various fronts, from countering child abuse, to spam, to terrorism. “So [spam is] something we’re looking forward to using those new powers to, you know, it is my personal pet hate. I get multiple ones a day,” Kershaw said. Through the new laws, the AFP and the Australian Criminal Intelligence Commission (ACIC) will gain the ability to apply for three new warrants to deal with online crime. The first of the warrants is a data disruption one, which gives cops the ability to “disrupt data” by modifying, copying, adding, or deleting it. The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices or networks that are used, or likely to be used, by those subject to the warrant. The last warrant is an account takeover warrant that will allow the agencies to take control of an online account for the purposes of gathering information for an investigation.

“This is the next frontier of crime, and the AFP and our partners will work with governments and global law enforcement networks to ensure the long arm of the AFP reaches criminals no matter where they are in the world,” Kershaw said in his opening statement at Senate Estimates. “Our investigators are already strategising how they will use the new powers in active investigations to identify, target, and disrupt offenders — including those relating to terrorism, large drug importations, and distribution of child abuse material.” The Attorney-General’s department is currently working on authorising the warrants application process, with AFP Deputy Commissioner Ian McCartney saying that this process would be resolved in the coming weeks.  In the AFP’s annual report [PDF] released last week, the law enforcement agency said the past year has seen it expand cyber operational capacity and build technical capabilities as part of an $90 million investment by the Australian Government across four years. This includes the ransomware action plan’s new Orcus taskforce and an AFP-led multi-agency taskforce called Dolos for targeting fraud that used compromised business emails.The AFP added that it carried out 163 disruption activities and charged eight offenders with 21 offences in relation to cybercrime during 2020-21. Related Coverage More