Eliana Willis

CISA and the FBI have released an advisory warning of potential cyberattacks that may occur over the coming Labor Day weekend, noting that in recent years hackers have launched dozens of devastating attacks on long weekends. They urged organizations to take steps to secure their systems, reduce their exposure and potentially “engage in preemptive threat hunting on their networks to search for signs of threat actors.”Eric Goldstein, executive assistant director for Cybersecurity at CISA, said ransomware “continues to be a national security threat” but noted that the challenges presented by potential attacks are “not insurmountable.” “With our FBI partners, we continue to collaborate daily to ensure we provide timely, useful and actionable advisories that help industry and government partners of all sizes adopt defensible network strategies and strengthen their resilience,” Goldstein said. “All organizations must continue to be vigilant against this ongoing threat.”

Kaseya attack

He urged organizations not to pay ransoms in the event of a ransomware attack and said CISA or local FBI field offices should be contacted before any decisions are made. CISA noted that there is generally an increase in “highly impactful ransomware attacks” that occur on holidays and weekends, noting the devastating Kaseya attack that took place on July 4. CISA said it does not have specific threat intelligence indicating attacks are imminent but explained that threat actors know IT teams are limited on holiday weekends and listed a number of attacks that took place on holidays this year. 

They cited the Mother’s Day weekend attack in May by the DarkSide ransomware group on Colonial Pipeline and the Memorial Day weekend attack on major meat processor JBS by the Sodinokibi/REvil ransomware group. REvil then hit Kaseya on July 4, continuing the holiday attack trend. 

more coverage

“The FBI’s Internet Crime Complaint Center, which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime — a record number — from the American public in 2020, with reported losses exceeding $4.1 billion,” the advisory said. “This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.”  The FBI added that over the last month, the most frequently reported attacks involved ransomware groups like Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin and Crysis/Dharma/Phobos. More ransomware groups are also coupling the encryption of IT assets with the secondary extortion of organizations with stolen sensitive or proprietary data, according to the notice. CISA added that ransomware groups are increasingly deleting backups and adding other tactics to make attacks more devastating. The most common initial access vectors involve phishing and brute forcing unsecured remote desktop protocol endpoints, according to CISA. Ransomware gangs are also using dropper malware, exploiting vulnerabilities and taking advantage of stolen credentials. At times, ransomware actors spend weeks inside a system before launching an attack — typically on weekends or holidays — so CISA urged IT leaders to proactively search their systems for potential points of access. Suspicious traffic patterns and strange access locations may help tip off IT teams of the potential for an attack, CISA noted. IT leaders, like ThycoticCentrify vice president Bill O’Neill, said malicious actors often know that long weekends mean there will be a delayed response or an unprepared ‘skeleton crew’ that simply doesn’t have the resources to simultaneously monitor for and deter threats fast enough. “Or threats will be monitored, trigger automatic alerts, and enforce certain lockdowns, but often those still require human action for mitigation and additional security controls,” O’Neill said. “And because most organizations would prefer to have their data released immediately rather than wait out the duration of a holiday weekend (and incur continued reputational damage), they’re also more likely to negotiate with attackers and pay out the requested ransom to minimize long term risks associated with these attacks.”Lookout senior manager Hank Schless added that hackers know people may be traveling and not able to access their work computer or mobile device in order to help stop an attack once they receive an alert of suspicious activity. Attackers have already become much more advanced in how they gain entry to an organization’s infrastructure — even when teams are fully staffed up and working, Schless told ZDNet.  Jake Williams, CTO at BreachQuest, explained that most ransomware attacks seen today could be easily discovered before encryption by following the guidance from CISA. “This is especially true for reviewing logs. Threat actors could certainly perform lateral movement while staying out of logs, but with the plethora of potential victims with horrible cyber hygiene there’s currently no need to do so,” Williams said, adding that extremely basic levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today’s ransomware adversaries.Tripwire vice president Tim Erlin put it succinctly: “Attackers don’t take the weekends off, and neither should your cybersecurity.” More

Crowdstrike on Tuesday published its second quarter financial results, beating market estimates with solid growth from subscription customers. The cybersecurity company added 1,660 net new subscription customers in the quarter for a total of 13,080 subscription customers as of July 31. That represents 81% year-over-year growth. Subscription revenue was $315.8 million, a 71% increase. Crowdstrike’s total Q2 revenue was $337.7 million, a 70% increase over a year prior. Non-GAAP net income came to $25.9 million or 11 cents per share. Analysts were expecting earnings of 9 cents per share on revenue of $323.16 million. “CrowdStrike delivered an outstanding second quarter with rapid subscription revenue growth and record net new ARR generated in the quarter,” CEO and co-founder George Kurtz said in a statement. “The success of our platform strategy and our growing brand leadership have led to a groundswell of customers turning to CrowdStrike as their trusted security platform of record. We believe that our extensible Falcon platform, purpose-built to leverage the power of the cloud, collecting data once and reusing it many times, is a fundamental cornerstone to building a durable growth business over the long-term.” Crowdstrike’s annual recurring revenue (ARR) increased 70% year-over-year and grew to $1.34 billion as of July 31. Of that, $150.6 million was net new ARR added in the quarter. In addition to adding a record number of net new subscribers in the quarter, Crowdstrike reported solid growth in the portion of subscribers adopting multiple modules. CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules and six or more modules increased to 66%, 53%, and 29%, respectively, as of July 31. 

For the third quarter, the company expects total revenue in the range of $358 million to $365.3 million.

Tech Earnings More

Using unsupported software, allowing the use of default usernames and passwords and using single-factor authentication for remote or administrative access to systems are all dangerous behaviours when it comes to cybersecurity and should be avoided by all organisations – but particularly those supporting critical infrastructure. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The warning comes from the US Cybersecurity and Infrastructure Security Agency (CISA) which is developing a catalogue of “exceptionally risky” behaviours  which can put critical infrastructure at extra risk of falling victim to cyber attacks. Use of single-factor authentication — where users only need to enter a username and password — is the latest risky behaviour to be added to the list, with CISA warning that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure “is dangerous and significantly elevates risk to national security”.  SEE: A winning strategy for cybersecurity (ZDNet special report) Using multi-factor authentication can help disrupt over 99 percent of cyber attacks. For critical infrastructure, it’s therefore particularly important to have it applied in order to help prevent cyber criminals from tampering with cyber-physical systems.  Alongside single-factor authentication as a bad practice is the use of known, fixed or default passwords, which CISA describes as “dangerous”. Default or simple passwords are good for cyber criminals because there’s a much higher chance of them being able to simply guess passwords to compromise accounts.   CISA also warns against the use of passwords which are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks. 

The third bad practice listed by CISA is the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems which no longer receive security updates, there’s the risk that cyber criminals could exploit newly discovered security vulnerabilities which emerge as old software often doesn’t receive security patches.  “The presence of these bad practices in organizations that support critical infrastructure…is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.” CISA said. CISA’s list of dangerous bad practices is designed as advice for organisations involved in running or supporting critical infrastructure – but it’s also useful advice for businesses and avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect them from falling victim to cyber attacks. 
MORE ON CYBERSECURITY More

Verizon announced on Tuesday that it will be partnering with Microsoft to offer an on-premises private edge compute solution for businesses. Leveraging Verizon 5G Edge with Microsoft Azure Stack Edge, the solution “enables the ultra-low latency needed to deploy real-time enterprise applications,” the companies said in a statement. Sampath Sowmyanarayan, chief revenue officer of Verizon Business, said it would allow businesses to “bring compute and storage services to the edge of the network at the customer premises, providing increased efficiencies, higher levels of security, and the low lag and high bandwidth needed for applications involving computer vision, augmented and virtual reality, and machine learning.””We’re thrilled to partner with Microsoft to bring 5G Edge to enterprises, dropping latency at the edge, helping critical, performance-impacting applications respond more quickly and efficiently,” Sowmyanarayan said. “5G will usher in next-generation business applications, from core connectivity to real-time edge compute and new applications and solutions that take advantage of AI transforming nearly every industry.”Corporate vice president of Azure for Operators at Microsoft Yousef Khalidi added that through the partnership with Verizon, the companies would be able to provide customers with compute and storage service capabilities at the edge of customers’ networks, “enabling robust application experiences with increased security.””Business innovation demands powerful technology solutions and central to this is the intersection between the network and edge” Khalidi said. 

Verizon said the announcement builds on a collaboration with Microsoft that began in 2020 and has sought to provide retailers with a way to process information in near real time to gain actionable data-driven insights to increase inventory accuracy and power fast and flexible supply chains.The companies noted that businesses like Ice Mobility have already used the solution to assist with computer vision-backed product packing as a way to improve on-site quality assurance. Ice Mobility is now looking into other 5G Edge applications that can offer material automation enhancements to its business like near real-time activity-based costing.”This solution would allow them to assign overhead and indirect costs to specific customer accounts, pick and pack lines, and warehouse activities to enhance efficiencies and improve competitiveness,” the companies explained in a statement. The companies believe that the solution can help manufacturers minimize their downtime, gain greater visibility into their business processes and maximize the performance of their assets. Ghassan Abdo, Research VP at IDC, said the announcement “aligns with IDC’s view that an on-premise, private 5G edge compute deployment model will spur the growth of compelling 4th generation industrial use cases.” “This partnership is a positive development as it leverages the technology and communications leadership of both companies,” Abdo said.  More

There is rising demand for the services of Initial Access Brokers (IABs) and access credentials in cloud-based cyberattacks. 

On Tuesday, Lacework published its 2021 Cloud Threat Report vol.2, outlining how today’s cybercriminals are attempting to cut out some of the legwork involved in campaigns against cloud service providers.  Over this year, the cloud security firm’s team has observed a number of trends of note in the cloud space, including increased demand for IABs.  Initial Access Brokers, as documented by KELA, are individuals or groups which have managed to secure access to a target system. Access may have been obtained through weak, broken, or stolen credentials; an insider, or by way of a vulnerability. The average price of network access, as analyzed by the team, is currently $5,400, while the median price is $1,000, depending on the level of access obtained and the target organization.  Ransomware groups have taken an interest in IABs, and alongside these groups, other threat actors focused on exploiting cloud services are also attempting to recruit IABs for their own ends.  Lacework says that over the past few months, administrator credentials obtained by IABs appear to have become a popular resource for attackers. In addition, the scanning and probing of storage buckets, online databases, login platforms, and orchestration systems continue to increase. 

“What started as one-off marketplace postings continues to escalate as criminals begin to understand and operationalize the utility of access to cloud services above and beyond cryptocurrency mining,” the team says.  The report also explores the latest TeamTNT criminal operation activities against cloud services. The TeamTNT botnet, first spotted back in 2020, is known to install cryptocurrency-mining malware on vulnerable containers. TeamTNT is hunting for exposed Docker APIs to deploy malicious Docker images, and in numerous cases, public Docker repositories are being taken over through compromised accounts to host malware. Another tactic of note is the exploitation of canary tokens. The team suspects that the legitimate canarytokens.org service, used to alert users when a resource has been accessed, has also been abused to notify ransomware operators of malware execution on a victim’s system.  Additional points of interest include honeypot data collected by the firm, which suggests SSH, SQL, Docker, and Redis services are most commonly targeted. Tor is often employed when AWS environments are targeted; the zgrab scanner is employed to probe Docker APIs for weaknesses; and when it comes to Redis, the command line interface INFO command is most commonly used to harvest data concerning target systems.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyberattackers are now targeting their victim’s internet connection to quietly generate illicit revenue following a malware infection. 

On Tuesday, researchers from Cisco Talos said “proxyware” is becoming noticed in the cybercrime ecosystem and, as a result, is being twisted for illegal purposes.  Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out part of their internet connection for other devices, and may also include firewalls and antivirus programs.  Other apps will allow users to ‘host’ a hotspot internet connection, providing them with cash every time a user connects to it.  It is this format, provided by legitimate services including Honeygain, PacketStream, and Nanowire, which is being used to generate passive income on behalf of cyberattackers and malware developers.  According to the researchers, proxyware is being abused in the same way as legitimate cryptocurrency mining software: quietly installed — either as a side component or as a main payload — and with efforts taken to try and stop a victim from noticing its presence, such as through resource use control and obfuscation.  In cases documented by Cisco Talos, proxyware is included in multi-stage attacks. An attack chain begins with a legitimate software program bundled together with a Trojanized installer containing malicious code.

When the software is installed, the malware is also executed. One campaign has utilized a legitimate, signed Honeygain package which was patched to also drop separate, malicious files containing an XMRig cryptocurrency miner and to redirect the victim to a landing page connected to Honeygain referral codes.  Once the victim signs up for an account, this referral earns revenue for an attacker — all the while a cryptocurrency miner is also stealing computer resources.  However, this isn’t the only method used to generate cash. In a separate campaign, a malware family was identified that tries to install Honeygain on a victim’s PC and registers the software under an attacker’s account, and so any earnings are sent to the fraudster.  “While Honeygain limits the number of devices operating under a single account, there is nothing to stop an attacker from registering multiple Honeygain accounts to scale their operation based on the number of infected systems under their control,” the researchers say.  Another variant exploited multiple avenues, bundling not only proxyware software, but also a cryptocurrency miner and information stealer for the theft of credentials and other valuable data.  “This is a recent trend, but the potential to grow is enormous,” Cisco Talos says. “We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These platforms also pose new challenges for researchers, since there is no way to identify a connection through these kinds of networks — the origin IP becomes even less meaningful in an investigation.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Comparitech has released a new study on the number of ransomware attacks affecting schools, colleges and universities since 2018, finding the most amount of attacks in the country’s most populous states like Texas, New York, California and Louisiana. Researchers Rebecca Moody and George Moody found that there have been a total of at least 222 ransomware attacks affecting 3,880 schools and colleges since 2018. They estimated that these attacks cost educational institutions billions in downtime and in ransom payments as ransomware groups targeted bigger school systems throughout the COVID-19 pandemic. In 2020 alone, Comparitech researchers tracked 77 individual ransomware attacks that affected more than 1,740 schools and colleges, “potentially impacting 1.36 million students,” according to their data.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“Schools and colleges have suffered an estimated 1,387 days of downtime due to ransomware attacks with around 9,525 days spent on recovery efforts. 22 schools/colleges revealed the amount involved in their recovery efforts with nearly $19.2 million spent by these entities in total,” the researchers explained. “This is an average of nearly $960,000. Ransom requests varied from $5,000 to $40 million. Hackers have received at least $2.95 million in ransom payments with the average payment being $268,000. Hackers have requested at least $59.1 million in ransom payments with the average request being $2.47 million.”According to the data collected by Comparitech, Texas suffered the most attacks with 19 since 2018 affecting 439 schools serving more than 300,000 students. California was second with 18 attacks affecting 288 schools, followed by New York, which saw 16 attacks impacting 138 schools, and North Carolina, which dealt with 10 attacks targeting 87 schools. Louisiana, Connecticut, Illinois, Missouri and Mississippi also saw a high number of ransomware attacks affecting their educational institutions. 

For 2021, Texas has led the way with 4 ransomware attacks, followed by Mississippi, California, Missouri and New York, which all had three from January to June this year.In 2020, the 77 ransomware attacks tracked by Comparitech led to an average of seven days of downtime and more than 55 days recovering from the attack.”Nevada had the highest number of impacted students in 2020 with 328,991 students affected by one single breach. Hackers targeted Clark County School District, which is the fifth-largest school district in the US with 374 individual schools. As the county didn’t pay the requested ransom, the hackers (Maze) dumped student records,” the report found. “The data breach report filed says 44,139 students were thought to have been affected by this aspect of the attack. The county and its staff and students also faced ongoing system disruptions in the month that followed. Due to its larger number of attacks, Texas also had a high number of students affected–245,460 in total. This was closely followed by Virginia (195,408) and Maryland (115,038).”The report lists dozens of attacks on school districts — Somerset Independent School District, Union Community School District, Athens Independent School District and Affton School District to name a few — as well as attacks on university systems or colleges like The University of California San Francisco, which paid $1.14 million to NetWalker hackers, Imperial Valley College which paid Sodinokibi hackers $55,068 and The University of Utah, which paid a ransom of $457,000. There have already been at least 39 reported ransomware attacks on educational institutions this year, and these figures do not include the Kaseya attack, which affected a number of universities tangentially.  More