More stories

  • in

    Sinclair confirms ransomware attack after TV station disruptions

    Sinclair Broadcast Group — which controls hundreds of TV stations across the US — has confirmed a ransomware attack on certain servers and workstations.In a statement and notice sent to the SEC, Sinclair said it was notified of a cybersecurity incident on Saturday, October 16. By Sunday, the company confirmed that it was a ransomware attack and backed up what many online had been reporting — outages at numerous local TV stations. “Data also was taken from the Company’s network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review. Promptly upon detection of the security event, senior management was notified, and the company implemented its incident response plan, took measures to contain the incident, and launched an investigation,” Sinclair said. “Legal counsel, a cybersecurity forensic firm, and other incident response professionals were engaged. The company also notified law enforcement and other governmental agencies. The forensic investigation remains ongoing. While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers.” The company went on to say that it is unclear what kind of impact the attack will have on its “business, operations or financial results.” It did not say which ransomware group was behind the attack and did not respond to requests for comment. Sinclair controls 21 regional sports network brands while owning and operating 185 television stations in 86 markets. The company also controls the Tennis Channel as well as Stadium and had an annual revenue of $5.9 billion in 2020.The attack was first reported by The Record after viewers took to Twitter and Reddit to report confusion over outages in their local markets. 

    Internal sources told The Record that the attack involved the company’s internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations. Dozens of channels were unable to show local morning shows and NFL games on Sunday. Some channels were able to resume broadcasts because the attack did not reach Sinclair’s “master control” broadcast system. But the attack is still crippling dozens of stations even as others return to normal. The company suffered another cyberattack in July that forced them to reset all shared administration systems at all of their stations. This is the second ransomware incident targeting news stations this year, with Cox Media Group recently admitting that it was hit with a ransomware attack in June. Ransomware experts like Darktrace’s Justin Fier said that for broadcasters and media, these attacks don’t only disrupt operations but potentially give bad actors a platform to distribute disinformation on a global stage. “In the case of the Sinclair breach, simply having access to the broadcast network may itself be more valuable for attackers than a ransomware payment,” Fier said. “The reality is that the organization’s back is against the wall — it is clear that the security team at Sinclair have been caught off guard and outpaced and now must decide between system downtime or paying a hefty ransom.”Others noted that it was not surprising to see the attack occur on a weekend when ransomware actors know IT departments are working with skeleton crews. Bill Lawrence, CISO at SecurityGate, noted that the attack didn’t spread to Sinclair’s ‘master control’ broadcast system, indicating they may be using network segmentation or a higher level of protection and care for the ‘crown jewels.’ “Also, they lost their internal network, email, phones, along with local broadcasting systems. For your next incident response plan drill, put the participants in separate rooms and forbid the use of company email or phone calls,” Lawrence said. “It would be hard for them to order a pizza together, much less work on business continuity.” More

  • in

    Acer hit with second cyberattack in less than a week, Taiwanese authorities notified

    Acer has confirmed yet another cyberattack on its servers in Taiwan after their offices in India were hit less than a week ago by the same group.The Desorden Group — which claimed responsibility for both attacks — contacted ZDNet and said part of why they conducted the second attack was to prove their point “that Acer is way behind in its cybersecurity effects on protecting its data and is a global network of vulnerable servers.” Acer spokesman Steven Chung told ZDNet that the company recently detected “an isolated attack on our local after-sales service system in India and a further attack in Taiwan.””Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India, while the attacked Taiwan system does not involve customer data,” Chung said. “The incident has been reported to local law enforcement and relevant authorities, and has no material impact to our operations and business continuity,” he added.The group said it hacked Acer’s Taiwan servers that stored data on its employees and product information. “We did not steal all data, and only took data pertaining to their employee details. Right after the breach, we informed Acer management on the Taiwan server breach and Acer has since taken the affected server offline,” the group said in an email to ZDNet. 

    “Also, a few other of its global networks including Malaysia and Indonesia servers are vulnerable too.”The group did not say how much data they stole in this attack and did not respond to questions about what its end-goal is with these breaches. Acer has had a rough year from a cybersecurity perspective, suffering a ransomware attack in March that led to a previously-unheard ransom demand of $50 million. It is unclear if Acer ever paid the ransom. The attack last week on the company’s servers in India led to 60GB of files being stolen by the Desorden Group, which also claimed an attack on the Malaysian servers of ABX Express Enterprise in September. Acer India was hit with a similar cyberattack in 2012 by a Turkish cybercriminal group, according to The attackers defaced the company website and leaked 20,000 user credentials at the time.  More

  • in

    Gartner survey of CIOs highlights investments in AI, cloud and cybersecurity

    A new survey from Gartner found that a majority of CIOs are focusing their investments this year and next year on AI and distributed cloud technology.The 2022 CIO and Technology Executive Survey features data gleaned from 2,387 CIO and technology executive respondents in 85 countries, representing about $9 trillion in revenue/public-sector budgets and $198 billion in IT spending. The survey focused on on “business composability” — which involves the mindset, technologies and set of operating capabilities that enable organizations to innovate and adapt quickly to changing business needs.Monika Sinha, research vice president at Gartner, said business composability is an “antidote to volatility.””Sixty-three percent of CIOs at organizations with high composability* reported superior business performance compared with peers or competitors in the past year. They are better able to pursue new value streams through technology, too,” Sinha said, adding that the findings from the survey were presented during the Gartner IT Symposium/Xpo Americas. Topping the list of planned investments for 2022, cyber and information security was cited by 66% of all respondents as an area that they expected to increase investment for next year. More tha half said business intelligence and data analytics would also be areas where they plan to invest heavily next year. “There is a continued need to invest in cybersecurity as the environment becomes more challenging. A high level of composability would help an enterprise recover faster and potentially even minimize the effects of a cybersecurity incident,” Sinha said.

    CIOs and technology executives at high-composability enterprises told Gartner that for 2022, they expect an increase in revenues by about 7.7% and a growth in IT budgets by about 4.2%. Low-composability enterprises only expect both to increase by 3.4% and 3.1%, respectively, according to Gartner. Sinha explained that most high-composability enterprises set up strategic planning and budgeting as a continuous and iterative activity to adjust to change more easily. “Without big deficits to remedy elsewhere, CIOs can afford to invest in composability, especially for IT developers and business architects who can design in a composable manner,” Sinha said, adding that globally, IT budgets are expected to grow at the fastest rate in over ten years with an average growth of 3.6% in overall IT budget for 2022 reported among all survey respondents.The survey also focused on how CIOs can push for composable thinking, composable business architecture and composable technology.”Business composability isn’t uniformly high across the economy because it requires business thinking to be reinvented. Traditional business thinking views change as a risk, while composable thinking is the means to master the risk of accelerating change and to create new business value,” Sinha added.”Digital business initiatives fail when business leaders commission projects from the IT organization and then shirk accountability for the implementation results, treating it as just another IT project. Instead, high-composability enterprises embrace distributed accountability for digital outcomes, reflecting a shift that most CIOs have been trying to make for several years, as well as creates multidisciplinary teams that blend business and IT units to drive business results.”Sinha noted that business runs on technology, but technology itself must be composable to run composable businesses. Composability, Sinha explained, needs to extend throughout the technology stack, from infrastructure that supports rapid integration of new systems and new partners to workplace technology that supports the exchange of ideas.”CIOs at moderate-or low-composability enterprises must internalize these three domains of business composability to make their organization nimbler and well equipped to handle the rapidly changing business environment in which they operate,” Sinha said. “It’s a gradual, but imperative, process going into 2022 and beyond.”  More

  • in

    Best gaming VPN 2021

    Look, let’s be honest with each other. The laws of physics aren’t going to be repealed by any VPN service provider. Bits take a certain amount of time to move across a network, and if that movement is slowed down due to encryption and extra hops inherent in VPN usage, those bits slow down. That means that if you’re playing a first-person shooter and you perfectly target some enemy’s head and pull the trigger, your shot might not score even if it was ideally staged. The propagation delay inherent in the VPN might be such that while you saw your target’s head in one location, it might have actually been somewhere slightly different on the server. And that might result in a miss. In other words, VPNs get in the way of successfully playing Twitch games. But if you want to use a VPN to watch a game on Twitch, you’re golden. Any game that requires fast ping speeds won’t play well with a VPN. But casual games and games where millisecond responses aren’t needed will do well. Fortnight: no. Apple Arcade: yes. World of Warcraft: maybe. Also, keep in mind that performance may differ over time. One night, you might be able to play over VPN and totally dominate. Another night, through no fault of your own, you may miss every shot. So where do VPNs work well for gamers? Game-related video, definitely. Downloading, absolutely. Streaming game services? Well, that depends on the game and the service. But don’t expect FPS games to respond well to a VPN. That said, since game consoles are also media streaming devices, many of the media streaming advantages of VPNs will be available to consoles. We always advocate looking at the money-back guarantee from VPN services and then seriously putting them to the test during that period. In the case of VPNs for gaming, that’s not a recommendation. It’s a requirement. And with that, let’s look at the four most popular VPN services we’re tracking right now.

    Console Guides: PlayStation, Xbox, SwitchSimultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itNordVPN is one of the most popular consumer VPNs out there. Last year, Nord announced that it had been breached. Unfortunately, the breach had been active for more than 18 months. While there were failures at every level, NordVPN has taken substantial efforts to remedy the breach.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: My interview with NordVPN management on how they run their servicePerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

    Console Guides: PlayStation, Xbox, SwitchSimultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsGet 3 extra months free.Countries: 94Locations: 160Trial/MBG: 30 daysExpressVPN has been burning up the headlines with some pretty rough news. We’ve chosen to leave ExpressVPN in this recommendation, and I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. The best way to do that is to read our in-depth analysis:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.Must read:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, the amount transferred, and the VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

    Console Guides: PlayStation, XboxSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Must read:Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

    Console Guides: NoneSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

    What’s the difference between Internet speed and ping time?

    Internet speed, often called “bandwidth,” is the speed that data overall can be transferred over the internet. If you’re downloading or uploading a big file, you want lots of bandwidth, a fast pipe. Ping time is how fast you can send out a request and get back an answer. It’s the round trip response time — and it’s very sensitive to distance and hops. When watching a video, you want to get all that video information down to your machine, but once it starts to transmit, it’s usually running a good, steady flow. But ping time is how long it takes after you pull the trigger for the game to know you pulled the trigger. If the game thinks you squeezed off a shot half a second after you did, the results could be radically different.

    If I see a good ping time in a review, can I count on it?

    No, not at all. Ping is the travel time between two points. Your two points and the reviewer’s two points will always be different.

    How does a VPN protect me when I’m using a game console?

    Game consoles don’t support native VPN apps, but you can still get the protections, location spoofing, and anonymity of a VPN. The key is running your VPN client on a router or sharing the internet connection of a PC. Most VPN vendors have guides that show you how to set this up.

    If a VPN isn’t great for when I’m playing a game, why should I even care about using one?

    Because, young Padawan, life is about more than gameplay. If you’re out and about, and you want to use a coffee shop, airport, hotel, or school Wi-Fi, you need to be sure you’re protecting all your data communication. This includes financial information, personal information, location data, and more.

    You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at, on Instagram at, and on YouTube at More

  • in

    Robots for kids: Best STEM kits and other tech gifts for hackers of all ages

    All the signs were there. If my parents knew then what parents know now, they would have been prepared. But back in the 1960s and 1970s, the maker movement was still far in the future. Robots were something you only saw in movies and awesome TV shows (or as my Mom would often put it, “What in the world are you watching?”). Telling her that Lost in Space wasn’t “in the world” tended to get me the All Powerful Glare of Motherly Annoyance. But now, if a kid is a natural tinkerer, there are positive outlets for their inclination. There are great STEM (science, technology, engineering, and mathematics) kits and toys that can ignite a kid’s interest and focus it on learning, while at the same time making learning fun. In this guide, we’re focusing mostly on the technology and engineering areas, providing you with some great kits and toys that teach and inspire programming and making with robots and digital technology.

    LEGO Robotics for kids

    Recommended age: 8-21If you’re talking about robotics and kids, the very best place to start is LEGO. LEGO has long been an innovator not only in the maker space but in robotics as well. In this guide, we kick off our exploration of goodies for geeky girls and boys with a Star Wars-themed robotics kit.Kids can build use more than a thousand components to build R2-D2, a Gonk droid, and a Mouse droid. Then, with an app, they can program these fan favorites with a variety of different easy-to-access programming and learning tools.

    Raspberry Pi robotics kit to keep parents and kids learning

    Image: David Gewirtz

    Recommended age: 12+his great kit takes the celebrated Raspberry Pi single-board computer and turns it into an accessible, powerful, and very flexible learning environment.Not only will parents and kids derive endless fascination with all the projects that can be built, but it’s great for an ongoing series of parent/child bonding experiences.The kit starts with a Raspberry Pi base that’s been retooled to be more like a LEGO or an Erector set. The parts and cables all snap together. With the right set of add-ons, you can build a notebook computer, a robot, a robot that’s part notebook computer, or even a notebook computer that’s also a robot.

    Play with code without a computer


    Recommended age: 6-12I love this thing, too! First, it allows you to be geeky even if you’re on a camping trip or have a power outage. So, if you’re living through an apocalypse (what? too soon?) and still want to teach your kid to code, this is a great place to start.Computer science and coding revolve around some basic guidelines and theories that are common across all computing. This kit shows how that works, from the basics of encryption (where your kids can make an actual cypher mechanism) to sorting algorithms. If you want your kids to get some away-from-screen time and still learn what they’re fascinated by, this is a good buy.

    Learn the basics of mechanisms


    Recommended age: 8+Not only do I love this thing, I want it. Yes, even now. And not just because my wife says I sometimes have the emotional maturity of a five year old. I want it (and so will your kid) because it shows how to make things that have mechanical properties.Here’s the thing: If you want to make something that has a linkage, a connection, a joint, or moves as part of its operation, you need to understand these concepts. This LEGO-clone kit shows you how to do just that, and as a bonus, it’s under $30.

    Fully-articulated programmable robot with voice commands

    Recommended age: 12+Okay, let’s just get this out of the way. My 12-year-old inner geek is squealing with delight. And, if you couldn’t tell by now, I’m still a geek. That said, if you’re into robots and you want to learn to program (or you already can program and you just want a tiny robot friend with 17 servos), this little machine is for you.It’s the real deal in terms of robotic capability. All the joints move and can be programmed. It responds to voice commands. It speaks and can play sound clips. There are a variety of programming options, including some that are gamified (you have to complete earlier programming projects to unlock some cool additional effects).It stands at about 18-inches tall, and, quite honestly, if I were filming a movie, this could definitely play the robot. It can certainly do all the moves. The vendor’s site doesn’t really show this off. Instead, watch this video from our sister site, CNET, to see what it can really do.

    An inexpensive project that’s fun to assemble


    Recommended age: 8+ If you had fun with LEGO or Erector (Meccano for those of you outside the US), this toy will be familiar. It’s not technically a robot because it has no autonomous or even remote control, and no programming. But your kid can put it together, learn about how gears work, hook up the solar panel and learn a bit about sustainable energy, all the while having a blast. Just a quick note: the eyes aren’t sensors. They’re decoration on a backup battery compartment. But that’s okay, ’cause they’re still cute. 

    App-enabled robot ball


    Recommended age: 8-14I have a couple of Sphero robots, including the BB8 version. And yes, I did buy it because I thought my little dog would have a blast chasing it, but Pixel doesn’t like it at all. Kids will, though, because — especially with this model — it’s app-enabled, allowing all sorts of interesting programming and experimenting.Don’t discount the value of a ball as a programmable device. It can easily go up and down carpets, it’s small enough to make it through relatively narrow gaps, and it’s maneuverable as heck. It’s even waterproof.

    Arduino kit with lots of parts


    Recommended age: 10+I’ve bought three or four of these for myself over the past few years, mostly as a way to have a wide selection of parts and sensors for my Arduino projects.This kit is not for little kids. Your kid should probably be a teenager and have some experience building things and possibly programming. The kit comes with some basic tutorials, but, to be honest, they’re not fabulous. But the selection of components is, and that’s where the magic comes. So, if you or your kid are comfortable Googling or YouTube searching for Arduino projects and tutorials, this kit will give you the parts to make it happen. Plus, it’s under $50.

    Let’s get away from plastic for just a little while


    Recommended age: 10-12Tired of everything being made from plastic? Want to teach your kid about sustainable materials? Consider this laser-cut solar-powered car kit. Not only is the power from the sun, but the wooden chassis is both robust and biodegradable.You can probably just snap it together, but a little wood glue (or plain old Elmer’s) should make the car strong enough to put it through its paces.

    Build a robot with a POV camera


    Recommended age: 12+The only thing I’m not that thrilled about with this is you have to add your own Raspberry Pi because the kit doesn’t come with one. I really think they should have listed two models on Amazon, one with a Pi and one without. That way, you’re not tasked with finding your own (don’t worry, we’ll list a standalone Pi in our next listing).In any case, this is great because it allows you to build a roving device that your kid can drive from the point of view of the robot’s camera. That seems like it would be a ton of fun.

    Put together your own little computer


    Recommended age: 12+I can’t say I love this thing because it’s not a toy, but I like it. I’ve bought a bunch of these, because I use them to drive my 3D printers. While you can get a standalone Pi for about $60, I recommend spending the extra $20 to have a power source, heat sinks, fan, and case that you know will work with the Pi. It even has an HDMI cable in the kit.If you want that $20 back and don’t mind using a board with only 2GB of RAM instead of 4GB, then this version is for you. You’re spending just about $60 and getting all the goodies.

    All of DJI’s drone smarts in a robot kit


    Recommended age: 12+If you want to learn robotics and have fun doing it with primo hardware, this is your toy. At more than $500, it’s not cheap, but it comes with omni-directional wheels, a laser canon, and a canon that shoots small beads (yeah, I’m thinking of Ralphie and “You’ll shoot your eye out,” too).You can create an instant battle bot scenario with two or more of these (just in case you want to spend thousands of dollars on robot toys), but the real meat of the product is the programmability and teaching tools. There are a bunch of exercises, and you can program with either Sketch or Python. Finally, DJI includes a full series of videos, so your kid can take a video class with hands-on use of the device. It’s just so darned cool.

    Our process I used a very simple selection mechanism while looking for these toys. If I didn’t have an overwhelming desire to buy it, and it didn’t take a supreme act of willpower to not click the Buy Now button, I didn’t list it. Since my internal kid is about as wonder-filled and geeky as they come, I figured if I was excited by it, other kids would probably be as well. Obviously, I stuck to the coding and robotics world, but I wanted to go beyond some of the classic robot toys like LEGO and provide toys that were not only of a wide range of capabilities but price points and even learning experiences. Let me know in the comments below if I nailed it or not. How to choose Normally, in these lists, I try to provide you with guidance on how to pick the product or service you need. But you know your kids far better than I. As I mentioned, I’m a doggie daddy, so I don’t have a lot of experience with what kids these days groove on. But I’ll tell you this: Choose less complex toys for kids who have less experience and more complex toys for kids who have already built or programmed more ambitious projects. Good luck and have a happy holiday season.

    You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at, on Instagram at, and on YouTube at

    ZDNet Recommends More

  • in

    University still recovering from major cyberattack that disrupted IT systems

    The UK-based University of Sunderland is finally gearing up to relaunch its core IT systems after a cyberattack knocked out most systems last week. The university used Twitter last Wednesday to report that its telephone lines, website and IT systems were down a day after what it believed was a cyberattack had commenced. 

    ZDNet Recommends

    The best cyber insurance

    The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

    Read More

    Sunderland cancelled all online classes but encouraged students to visit its campuses, where in-person teaching continued. See also: This new ransomware encrypts your data and makes some nasty threats, too.Per the BBC, the university’s vice-chancellor Sir David Bell posted a video on the institution’s temporary website to explain its efforts to restore IT systems. Its website had displayed a message that the site was down for “essential maintenance”. Bell said a “major” cyberattack had hit the university.”The obvious question is how long this situation will last? The honest answer at the moment is we just don’t know,” said Bell on Friday. 

    However, the university appeared to make progress over the weekend and expected to bring some systems back on Monday. It restored its switchboard and student helpline on Friday. However, its official website remained offline today [18 October]. “Important contact info for current IT ‘freeze’. Much progress is being made, and more updates are expected to trickle through tomorrow. Thank you for your patience during this hugely aggressive cyberattack,” the university said in a Twitter update on Sunday. See also: This is how Formula 1 teams fight off cyberattacks.The university also assured staff last week that it would pay them on the usual pay date despite the IT disruption. It also promised to reimburse staff any extra data charges from tethering their laptops to mobile phones during the outage.  The University of Hertfordshire suffered a huge cyberattack in April that knocked out all of its IT systems, including Office 365, Teams and Zoom, local networks, Wi-Fi, email, data storage, and VPN.The UK’s National Cyber Security Centre (NCSC) last September warned of a wave of cyberattacks hitting the education sector. The warning followed major cyberattacks on Newcastle University and Northumbria University that caused lengthy IT and network outages.  More

  • in

    This new phishing attack features a weaponized Excel file

    A new phishing campaign is targeting employees in financial services using links that download what is described as a ‘weaponized’ Excel document. The phishing campaign, dubbed MirrorBlast, was detected by security firm ET Labs in early September. Fellow security firm Morphisec has now analyzed the malware and notes the malicious Excel files could bypass malware-detection systems because it contains “extremely lightweight” embedded macros, making it “particularly dangerous” for organizations that depend on detection-based security and sandboxing. 

    ZDNet Recommends

    The best cyber insurance

    The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

    Read More

    Macros, scripts for automating tasks, have become a popular tool for cyberattackers. While macros are disabled in Excel by default, attackers use social engineering to trick potential victims into enabling macros. See also: This new ransomware encrypts your data and makes some nasty threats, too.Though seemingly a basic technique, macros have been used by state-sponsored hackers because they often work. Microsoft earlier this year expanded its Antimalware Scan Interface (AMSI) for antivirus to address the surge in macro malware and a new trend by attackers to use legacy Excel 4.0 XLM macros (instead of newer VBA macros) to bypass anti-malware systems.    According to Morphisec, the attack chain in MirrorBlast resembles techniques used by a well-established, financially motivated Russia-based cybercriminal group that’s tracked by researchers as TA505. The group has been active since at least 2014 and is known for the wide variety of tools they use. “TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution,” Morphisec researcher Arnold Osipov notes in a blogpost. 

    While the MirrorBlast attack starts with a document attached to an email, it later uses a Google feedproxy URL with a SharePoint and OneDrive lure that poses as a file share request. Clicking the URL leads to a compromised SharePoint site or fake OneDrive site. Both versions lead to the weaponized Excel document.  The sample MirrorBlast email shows the attackers are exploiting the theme of company-issued information about COVID-related changes to working arrangements. 

    Morphisec notes that the macro code can be executed only on a 32-bit version of Office due to compatibility reasons with ActiveX objects. The macro itself executes a JavaScript script designed to bypass sandboxing by checking if the computer is run in administrator mode. It then launches the msiexec.exe process, which downloads and installs an MSI package. See also: This new ransomware encrypts your data and makes some nasty threats, too.Morphisec found two variants of the MIS installer that used legitimate scripting tools called KiXtart and REBOL. The KiXtart script sends the victim’s machine information to the attacker’s command and control server, such as the domain, computer name, user name, and process list. It then responds with a number instructing whether to proceed with the Rebol variant. According to Morphisec, the Rebol script leads to a remote access tool called FlawedGrace, which has been used by the group in the past.”TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals,” Osipov notes.   More

  • in

    BlackByte ransomware decryptor released

    A new form of malware found in a recent IT incident appears to have been inspired by other strains known to reap their operators’ huge financial rewards — but is likely the work of amateurs. 

    Special feature

    Cyberwar and the Future of Cybersecurity

    Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

    Read More

    Dubbed BlackByte and discovered by Trustwave, the Windows-based ransomware is considered “odd” due to some of the design and function decisions made by its creators.  In a set of technical advisories published last week (1,2), the cybersecurity firm says the malware only targets systems that are not based on Russian or ex-USSR languages — a common trend in ransomware believed to be of Russian origin. BlackByte has also taken advantage of what has become known as double-extortion in this space: not only does malware encrypt and lock up systems, but victims are also then faced with the threat of confidential information being leaked or sold online.  Modern ransomware operators, including Maze, ReEvil, Conti, and Babuk, run leak websites on the Dark Web for this purpose. BlackByte, too, has launched a website, but according to the researchers, the threat of data exfiltration and leaks is groundless — as the ransomware does not appear to have this functionality in the first place. As a result, more victims may pay up after infection, even if there is no actual risk of information becoming public.  BlackByte’s encryption process also reveals that unskilled threat actors may be at work. The malware downloads and executes the same key to encrypt files in AES, rather than unique keys for each session, such as those usually employed by sophisticated ransomware operators. 

    If the key cannot be downloaded from its HTTP server — hidden in a file called forest.PNG — the ransomware program simply crashes. An RSA key is used once to encrypt the ‘raw’ key to show a ransom note.  “To decrypt a file, one only needs the raw key to be downloaded from the host,” Trustwave says. “As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.” Aside from this odd encryption process, the malware utilizes a JavaScript launcher designed to decrypt the main .NET DLL payload.  The ransomware is executed into memory, and a victim ID is assigned using the vulnerable PC’s processor ID and volume serial number, which are then hashed and pinged to the malware’s command-and-control (C2) server. Any process which could prevent file encryption is terminated, and the SetThreadExecutionState API is used to stop the machine from entering a sleep state.  In addition, volume shadow copies are wiped, Windows restore points are deleted, and network discovery is enabled. BlackByte also has worm-like capabilities similar to those employed by Ryuk, and it will try to propagate itself across available networks.  Trustwave has made a BlackByte decryptor available for download at GitHub. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More