Eliana Willis

Ireland’s health service faces months of disruption as it continues to recover from a ransomware attack, the head of the Health Service Executive (HSE) has warned. HSE, which is responsible for healthcare and social services across Ireland, fell victim to what was described as a “significant” ransomware attack on 14 May.The attack has been attributed to the Conti ransomware gang. The cyber criminals provided HSE with a decryption tool for free but have threatened to publish information stolen in the attack – potentially a violation of patient privacy – if they don’t receive a ransom of a reported $20 million in bitcoin, something that HSE vowed not to pay.

But even with the correct decryption key, restoring the network has been a slow and arduous task for HSE. Health services across Ireland remain disrupted as hospitals attempt to treat patients, despite limited IT services and no internet access – meaning appointments are still being delayed or cancelled.SEE: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next”The restoration process, and the accompanying due diligence exercise, is necessarily taking some time. Although we can effectively decrypt data, that is only one element. The malware must also be eradicated,” HSE CEO Paul Reid told the National Parliament (Oireachtas) Joint Committee on Health.”Decryption takes much longer than the original encryption, and eradication involves additional tasks to ensure that the perpetrators have no access route back into our systems,” he added. 

Reid described how HSE has decrypted 75% of its servers, and 70% of end-user devices are now available to staff. However, disruptions to patient services are expected to continue for some time – despite IT staff, cybersecurity experts and Ireland’s defence forces working seven days a week to restore the network to fully operational status. “There is no underestimating the damage this cyberattack has caused. There are financial costs certainly, but there will unfortunately be human costs as well,” said Reid. “I assure members, and the public, that we are doing everything possible to restore the systems. I must also caution that it will likely take months before systems are fully restored.”Due to the ongoing disruptions, HSE warns that emergency departments are very busy due to IT outages and significant delays are to be expected, while many X-ray appointments are being cancelled.Essential and urgent services, including COVID-19 vaccinations, are operating, but patients are warned they could face delays because “systems are not functioning as usual” due to “critical IT systems” still being out of action in the aftermath of the ransomware attack. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)Reid told the Committee that, following the ransomware, “significant learnings about further protections that can be put in place” will be made and the fact that the ransomware attack happened meant their were “obvious vulnerabilities” in the network.He also warned that ransomware and the “highly skilled criminal organisations” behind ransomware attacks represent a significant risk to organisations across the globe. “The whole world needs to raise its game,” said Reid.MORE ON CYBERSECURITY More

Researchers have discovered a set of vulnerabilities that can be chained together to perform code execution attacks on Dell machines. 

On Thursday, Eclypsium said the vulnerabilities, which together equate to a critical chain with a cumulative CVSS score of 8.3, were discovered in the BIOSConnect feature within Dell SupportAssist.  Altogether, the security flaws could be exploited to impersonate Dell.com and attack the BIOS/UEFI level in a total of 128 Dell laptops, tablets, and desktop models, including those with Secure Boot enabled and Secured-core PCs, owned by millions of consumers and business users.  According to Eclypsium, “such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.”  Dell SupportAssist, often pre-installed on Windows-based Dell machines, is used to manage support functions including troubleshooting and recovery. The BIOSConnect facility can be used to recover an OS in cases of corruption as well as to update firmware.  In order to do so, the feature connects to Dell’s cloud infrastructure to pull requested code to a user’s device.  The researchers discovered four vulnerabilities in this process that would allow “a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines.”

The first issue is that when BIOSConnect attempts to connect to Dell’s backend HTTP server, any valid wildcard certificate is accepted, “allow[ing] an attacker to impersonate Dell and deliver attacker-controlled content back to the victim device.” Additionally, the team found some HTTPS Boot configurations which use the same underlying verification code, potentially rendering them exploitable.  Three independent vulnerabilities, described as overflow bugs, were also uncovered by the researchers. Two impacted the OS recovery process, whereas the other was present in the firmware update mechanism. In each case, an attacker could perform arbitrary code execution in BIOS. However, the technical details of these vulnerabilities will not be disclosed until an upcoming DEFCON presentation in August.  “An attack scenario would require an attacker to be able to redirect the victim’s traffic, such as via a Machine-in-the-Middle (MITM) attack,” the researchers say. “Successfully compromising the BIOS of a device would give an attacker a high degree of control over a device. The attacker could control the process of loading the host operating system and disable protections in order to remain undetected.” Eclypsium completed its investigation into Dell’s software on March 2 and notified Dell PSIRT a day later, which acknowledged the report. The vendor has since issued a security advisory and has scheduled BIOS/UEFI updates for impacted systems.  Dell device owners should accept BIOS/UEFI updates as soon as they are available — and patches are due to be released today. The vendor has also provided mitigation options, as detailed in the firm’s advisory.  “Dell remediated multiple vulnerabilities for Dell BIOSConnect and HTTPS Boot features available with some Dell Client platforms,” Dell told ZDNet. “The features will be automatically updated if customers have Dell auto-updates turned on. We encourage customers to review the Dell Security Advisory (DSA-2021-106) for more information, and if auto-updates are not enabled, follow the remediation steps at their earliest convenience. Thanks to Eclypsium researchers for working directly with us to resolve the issue.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Vulnerabilities that could allow XSS, CSRF, and one-click account takeovers in Atlassian subdomains have been patched. 

On Thursday, Check Point Research (CPR) said that the bugs were found in the software solutions provider’s online domains, used by thousands of enterprise clients worldwide. The Australian vendor is the provider of tools including Jira, a project management system, and Confluence, a document collaboration platform for remote teams.  The vulnerabilities in question were found in a number of Atlassian-maintained websites, rather than on-prem or cloud-based Atlassian products.  Subdomains under atlassian.com, including partners, developer, support, Jira, Confluence, and training.atlassian.com were vulnerable to account takeover.  CPR explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen.  The vulnerable domain issues included a poorly-configured Content Security Policy (CSP), parameters vulnerable to XSS, SameSite and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation — the option for attackers to force users to use session cookies known to them for authentication purposes. 

The researchers say that it was possible to take over accounts accessible by these subdomains through cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. In addition, the vulnerable domains also allowed threat actors to compromise sessions between the client and web server once a user logged into their account. “With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence,” the researchers said.  The ramifications of these attacks included account hijacking, data theft, actions being performed on behalf of a user, and obtaining access to Jira tickets. Atlassian was informed of the team’s findings on January 8, prior to public disclosure. A fix for the impacted domains was deployed on May 18.  Atlassian told ZDNet:”Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server).”The research into Atlassian was performed by CPR due to the ongoing issues surrounding supply chain attacks, in which threat actors will target a centralized resource used by other companies.  If this element can be compromised — such as by tampering with update code due to be pushed out to clients in the case of Codecov — then a wider pool of potential victims can be reached with little effort.  SolarWinds, too, is a prime example of how devastating a supply chain attack can be. Approximately 18,000 SolarWinds clients received a malicious SolarWinds Orion software update that planted a backdoor into their systems; however, the attackers cherry-picked a handful of victims for further compromise, including Microsoft, FireEye, and a number of federal agencies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are increasingly using virtual machines to compromise networks with ransomware.By using virtual machines as part of the process, ransomware attackers are able to conduct their activity with additional subtlety, because running the payload within a virtual environment reduces the chances of the activity being discovered – until it’s too late and the ransomware has encrypted files on the host machine.During a recent investigation into an attempted ransomware attack, cybersecurity researchers at Symantec found the ransomware operations had been using VirtualBox – a legitimate form of open-source virtual machine software – to run instances of Windows 7 to aid the installation of ransomware.

“The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will “hide” within a VM while encrypting files on the host computer,” Symantec said.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  While a virtual machine is run separately to the machine it’s hosted on, it can have access to the host machine’s files and directories via shared folders, which cyber criminals can exploit to allow the payload hosted in the virtual machine to encrypt files on the computer itself.While researchers haven’t been able to fully identify the ransomware discovered running in a virtual machine, clues as to how the malware operated provided strong indications that it was Conti – a notorious form of ransomware used by cyber criminals in a number of high profile campaigns, including the ransomware attack against the Ireland’s HSE health service.

However, this wasn’t the only activity that was detected – researchers found evidence that an attacker had attempted to run Mount Locker ransomware on the host computer. Researchers suggest that the attacker attempted to run Conti via the virtual machine but, when that didn’t work, they switched to using Mount Locker instead.This isn’t the first time ransomware gangs have been spotted using virtual machines to deploy ransomware, but researchers warn that this could make attacks much more difficult to detect.”Groups will often mimic others’ tactics if they think they’ve been successful. There may be a belief that some security solutions cannot reliably and consistently detect the ransomware sample executing from inside a virtual machine (VM),” said Dick O’Brien, principal in the Symantec Threat Hunter Team.SEE: Three billion phishing emails are sent every day. But one change could make life much harder for scammersWhile cyber criminals could target devices that already have virtual machine environments, in this case it appears as if they’re actively downloaded the tools that enable them to run. One way of countering this is to monitor and control what software is installed on machines, so potentially malicious, yet legitimate, tools can’t be downloaded without approval.”Use software inventory and restriction tools that enable them to control what licensed software may be installed. In addition, organizations already using VM software can use enterprise versions of the software that restrict creation of new unauthorized VMs,” said O’Brien. MORE ON CYBERSECURITY More

The Commonwealth Ombudsman’s Report to the Minister for Home Affairs on agencies’ compliance with the Surveillance Devices Act 2004, for the period 1 July to 31 December 2020 appeared this week, with three of the four law enforcement agencies inspected having issues with destroying data.

The report [PDF] looked at the Australian Federal Police (AFP), the South Australian Police, the Australian Criminal Intelligence Commission (ACIC), and the Australian Commission for Law Enforcement Integrity (ACLEI). Only the ACLEI law enforcement watchdog passed with flying colours.

For ACIC, the Ombudsman found three instances where protected information was not destroyed as soon as practicable. It added for each time this occurred, there was a “significant delay” between the authorisation and destruction of data.

“We identified one instance where protection information was not destroyed within five years,” the report said.

“The ACIC disclosed seven additional instances it did not destroy protected information within five years.”

The report also found issues with records kept to detail actions taken under warrant or tracking device authorisations to show agencies are acting lawfully.

“The computer access warrant action sheets we inspected did not provide sufficient information for us to understand what actions were taken under the warrant, or to confirm that the correct devices were accessed,” the report said.

“As a result, we could not verify that the computers the ACIC targeted were those it was authorised to access under the warrant.”

See also: ACIC believes there’s no legitimate reason to use an encrypted communication platform

For the AFP, the Ombudsman found four instances where it did not destroy information after authorisation for more than a month, and one instance where it took over five months.

“Further, the AFP did not destroy protected information or certify it for retention within five years,” the report states.

“In three instances the AFP did not destroy the records until more than five years after the warrant was issued and could not provide files to demonstrate the protected information was certified for retention within five years.

“In the remaining instance, the AFP certified the protected information for destruction within five years but did not complete the destruction until after the five year period.”

The inspection found instances where AFP reported destroying data, but the Ombudsman found the warrant was not executed, or information was not gained from it. The AFP also had issues with its action sheets.

The report found the AFP was still conducting surveillance in foreign jurisdictions without lawful approval.

“While the AFP disclosed this instance of non-compliance, it did not quarantine the associated data until prompted to do so during our inspection,” the report said.

“We suggested the AFP quarantine any unlawfully obtained data as soon as it identifies it.”

“We identified that, while the surveillance device was first used extraterritorially on 17 December 2019, the AFP did not send written correspondence to the Attorney-General until 19 May 2020.”

The report said only after the Ombudsman inspection, did it quarantine the data it retrieved.

The AFP also disclosed two instances where data was collected outside of a warrant. It also disclosed two instances where it failed to inform its overseeing minister of a warrant or authorisation ceasing, with the Ombudsman later finding another two instances.

With the South Australian Police, the Ombudsman found there was no process to destroy records.

“SA Police informed us it does not have staff delegated to perform the functions of the chief officer under s 46(1)(b) of the Act,” the report said.

“SA Police advised it requested internal legal advice about its delegations more than 12 months prior to our inspection and had been told not to proceed with any destructions until that advice was given.”

The SA force said it was gaining the relevant delegation and would start destruction as soon as the instrument was ratified.

Related Coverage More

John McAfee, the developer and programmer behind one of the first commercial antivirus tools, was found dead in a prison cell in Barcelona, according to Spanish newspaper El Pais.Government officials told the newspaper that the 75-year old was being held in Brians 2 prison in Sant Esteve de Sesrovires when guards found him dead and were unable to resuscitate him. El Dario confirmed the announcement. 

“The judicial procession has traveled to the prison and is investigating the causes of death. Everything indicates that it could be a death by suicide,” the statement said, according to El Dario. While the initial notice from the regional Catalan government did not name McAfee, a source within the Catalan government confirmed it was him to the Associated Press.The controversial technologist was awaiting extradition to the US after the Department of Justice indicted him on a litany of charges related to tax evasion and fraud in March. He was facing nearly 30 years in prison. He was arrested by Spanish National Police at El Prat airport in October as he tried to flee to Turkey. Today, the Spanish National Court approved an extradition request for McAfee, according to AFP. “The court agrees to grant the extradition of John David McAfee as requested by the American judicial authorities for the crimes referred to in the tax offense indictments for years 2016 to 2018,” the ruling said, according to AFP. McAfee founded and ran software company McAfee Associates from 1987 to 1994, creating McAfee’s first commercial antivirus software. He resigned from the company and went on to found dozens of other enterprises. He repeatedly caused controversy through statements made on his Twitter account. 

The Department of Justice said McAfee had not paid taxes on millions of dollars made through a cryptocurrency scheme and had defrauded investors in the enterprise. Manhattan US Attorney Audrey Strauss said McAfee used his Twitter account to publish messages touting various cryptocurrencies “through false and misleading statements to conceal their true, self-interested motives.” “McAfee, Watson, and other members of McAfee’s cryptocurrency team allegedly raked in more than $13 million from investors they victimized with their fraudulent schemes,” Strauss said in March. In his last message on Twitter from June 16, McAfee continued to deny the charges. “The US believes I have hidden crypto. I wish I did but it has dissolved through the many hands of Team McAfee (your belief is not required), and my remaining assets are all seized. My friends evaporated through fear of association. I have nothing. Yet, I regret nothing,” he wrote.  More