Information Technology

HP on Wednesday announced a series of new security services for printers, helping IT departments secure devices both in an office setting and in home offices. In the era of remote work, printers are a potential attack point that make corporate networks and data vulnerable, HP notes. First, HP is expanding its Flexworker offering, which is part of its cloud-based printer management service. The Flexworker plan enables employees to order supplies for their home printing needs. Now, it will offer a fully-automated managed print service (MPS) contract, and it will give enterprises visibility into as many as 15 security settings on devices. The expanded program uses HP Security Manager to continuously monitor devices and automatically remediate compliance issues.Next, HP is introducing secure Internet Printing through HP Advance, a platform for capture, print and output management. The new service protects print jobs, in the office or at home, with  encryption and authentication technologies, including OAuth 2.0 with OpenID connect for Azure AD. It also provides job accounting, so companies can track activity both inside and outside the organization.Lastly, HP is making HP Secure Print compatible with Universal Print from Microsoft, which adds a layer of security by requiring authentication before the document is printed. It will also provide analytics about all print activity.The new services are part of HP Wolf Security, the company’s portfolio of secure hardware, security software and endpoint security services. More

Russia must do more to tackle cyber criminals which are operating from within in its territory, the UK’s Foreign Secretary Dominic Raab has warned.In a speech at the National Cyber Security Centre’s (NCSC) CYBERUK 21 conference, Dominic Raab called out nation-state backed hacking campaigns by North Korea, Iran, Russia and China, who he accused of of using digital technology “to sabotage and steal, or to control and censor.”.The UK, alongside the US called out Russia’s involvement in the SolarWinds supply chain hack which led to the compromise of several government agencies, technology firms and cybersecurity companies – but Raab argued that these states also need to take responsibility for cyber criminals operating within their borders.For example, the Colonial Pipeline ransomware attack – which has disrupted fuel supplies across the US East Coast – was apparently carried out by cyber criminals using DarkSide ransomware-as-a-service – a ransomware group which like many others, is highly suspected to be operating out of Russia.Some argue that Russia tolerates cyber criminals which attack targets in the West – so long as they stay away from Russian targets. Many of the most notorious ransomware gangs tailor the code of their malware to uninstall itself if it detects that the machine is set to the Russian language or has an IP address in a former Soviet nation. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Ransomware attacks have caused a great deal of disruption around the world – and Raab accused the Kremlin of sitting back as “industrial scale vandals of the 21st century” caused chaos from within its borders.

“When states like Russia have criminals or gangs operating from their territory, they can’t just wave their hands and say nothing to do with them – even when it’s not directly linked to the state, they have a responsibility to prosecute those gangs and those individuals, not to shelter them,” said Raab.Cyber threats from nation-states, cyber criminals – and everything in between – will keep coming, but the Foreign Secretary said the UK is improving its capabilities when it comes to defending against cyber attacks.”We’re getting better at detecting, disrupting and deterring our enemies. Acting with partners around the world, we name and shame the perpetrators,” said Raab. “We did this last month with the SolarWinds attack, exposing the depth and the breadth of cyber activities by the Russian intelligence service, the SVR. And by revealing the tools and techniques malicious cyber actors are using, we can help our citizens and our businesses to see the signs early on and help them protect themselves from threats,” he added.However, there’s no illusions that defending the UK from cyber threats will be an easy task.”It’s is going to be a marathon, a war of attrition, but we will keep relentlessly shining a light on these predatory activities,” said Raab.MORE ON CYBERSECURITY More

The US Cybersecurity & Infrastructure Security Agency (CISA) has warned organizations to be cautious of a relatively new ransomware variant called FiveHands. FiveHands ransomware has been around since January 2021, but CISA said it was “aware of a recent, successful cyberattack against an organization” using this strain of file-encrypting malware.The group using FiveHands employs the same tactics as the DarkSide ransomware group that is holding Colonial Pipeline to ransom, in that the group not only encrypts a target’s data but steals some of it and threatens to leak it online unless the attacker’s payment demands are met.FireEye’s incident response arm Mandiant, which tracks the FiveHands group as UNC2447, detected the group exploiting a zero day flaw in the SonicWall VPN (CVE-2021-20016), according to an April report.  Attackers were targeting unpatched SonicWall Secure Mobile Access SMA 100 remote access products, for which patches were released in February.  The publicly available tools the group users including the SoftPerfect Network Scanner for Discovery and Microsoft’s own remote administration program, PsExec.exe and its related ServeManager.exe. “To thwart the recovery of the data, the ransomware uses Windows Management Instrumentation (WMI) to enumerate Volume Shadow copies using the command select * from Win32_ShadowCopy and then deletes copies by ID (Win32_ShadowCopy.ID),” CISA notes in its Analysis Report (AR21-126A). 

“The malware will also encrypt files in the recovery folder at C:Recovery. After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt.”The SombRAT component allows the attackers to remotely download and execute malicious DLLs (software plugins) on the target network. It also serves as the main component of the attacker’s command and control infrastructure. “The RAT provides most of its C2 capabilities to the remote operator by allowing the remote operator to securely transfer executable DLL plugins to the target system—via a protected SSL session—and load these plugins at will via the embedded plugin framework,” CISA explains. “The native malware itself does not provide much actual functionality to the operator without the code provided by the plugins.”Without the plugins, the RAT otherwise can collect system data, such as the computer’s name, the user’s name, current process, operation system version, and the current process it’s masquerading as. Some key recommendations CISA offers are to update antivirus signatures and ensure the OS is updated with the latest patches. It also recommends disabling file and printer sharing services, implementing least privileges, and enabling multi-factor authentication on all VPN connections, external-facing services, and privileged accounts. Also, organizations should decommission unused VPN services and monitor network traffic for unapproved protocols, especially those used for outbound connections to the internet, such as SSH, SMB and RDP. Separately, CISA today issued the same advice for organizations and critical infrastructures in the wake of the Colonial Pipeline ransomware attack.  More

Researchers have provided the details of an investigation into cyberattacker activity linked to DarkSide ransomware.

more coverage

On Tuesday, FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.  Colonial Pipeline, one of the largest fuel pipeline operators and delivery companies in the United States, suffered a ransomware outbreak last week which has resulted in pipeline closures and fuel shortages. The firm is yet to restore all of its systems and the case — as it involves a critical infrastructure (CI) asset — is deemed serious enough to involve the FBI.  DarkSide’s core team has attempted to distance itself from the attack by claiming to be “apolitical” and a group simply in it for the money. However, the incident has prompted the interest of not only law enforcement, but security researchers tracking RaaS services.  So far, FireEye has tracked five threat actors who are either current or past DarkSide RaaS affiliates.  RaaS subscribers are given access to custom malware — in this case, the DarkSide ransomware variant — in return for developers receiving a slice of any ransom payment profits.  Forum posts indicate that affiliation requires 25% of the cut for ransom payments under $500,000 and this is decreased to 10% for anything over $5 million. 

According to the researchers, anyone who tries to join the DarkSide RaaS group has to pass an interview, and if they succeed, are then provided with a control panel for selecting their ransomware build, managing their victims, and contacting support. In addition, users can specify what information, stolen during a cyberattack, can be published on the main DarkSide leak site. This is known as a double-extortion tactic in which companies that refuse to pay for a decryption key are then threatened with the public leak of their files.  FireEye has described the current activities of three out of the five linked groups, tracked as UNC2628, UNC2659, and UNC2465.  UNC2628: This group has been active since February. They tend to move quickly from initial infection to ransomware deployment and may only lurk on a compromised network for two to three days before starting encryption.  Suspicious authentication attempts, brute force attacks, and ‘spray and pray’ tactics are common, and this threat actor may also acquire initial access through legitimate credentials for corporate virtual private networks (VPNs), which can be purchased from other cybercriminals online.  UNC2628 is thought to partner with other RaaS services including REvil and Netwalker. UNC2659: The second cluster, active since at least January, moves from initial access to ransomware deployment in an average of 10 days.  This set exploits CVE-2021-20016 to obtain initial access, a now-patched vulnerability in the SonicWall SMA100 SSL VPN, a service designed for mobile workers.  “There is some evidence to suggest the threat actor may have used the vulnerability to disable multi-factor authentication options on the SonicWall VPN, although this has not been confirmed,” FireEye says.  TeamViewer is abused to maintain persistence on a compromised machine and the group exfiltrates files before encryption.  UNC2465: With cybercriminal activity dating back to at least April 2019, UNC2465 now uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor. In a case documented by FireEye, initial access to a network was obtained months ahead of ransomware execution.  Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation. The NGROK utility is used by the threat actors to circumvent firewalls and expose remote desktop service ports.  In related news, Sophos has been called in to assist on five different instances of DarkSide ransomware infection. The company has reported an average time of 45 days between initial access and ransomware deployment. A copy of the typical ransomware note is below. “We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years,” FireEye commented. “We expect that the extortion tactics that threat actors use to pressure victims will continue to evolve throughout 2021.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory in the aftermath of a devastating ransomware attack on Colonial Pipeline. 

more coverage

The alert, published on Tuesday, provides details on DarkSide, malware operators that run a Ransomware-as-a-Service (RaaS) network. DarkSide is responsible for the recent cyberattack on Colonial Pipeline. Last Friday, the fuel giant said a cyberattack had forced the company to halt pipeline operations and temporarily pull IT systems offline to contain the incident, found to be an infection caused by DarkSide affiliates.  Colonial Pipeline is yet to recover and as a critical infrastructure provider — one of whom supplies 45% of the East Coast’s fuel and which usually delivers up to 100 million gallons of fuel daily — the FBI has become involved.  “Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data,” the alert says. “These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.” The DarkSide ransomware is provided to RaaS customers. This cybercriminal model has proven popular as it only requires a core team to develop malware, which can then be distributed to others.  RaaS, also known as ransomware affiliate schemes, may be provided on a subscription basis and/or the creators receive a cut of the profits when a ransom is paid. In return, the developers continue to improve their malware ‘product’.  

DarkSide tries to portray itself in a ‘Robin Hood’ light, with terms of service for clients that dictate no medical, care homes, or palliative care providers should be targeted. The operators have been quick to distance themselves from the attack on Colonial Pipeline as a core country fuel provider and vaguely blamed the attack on a partner.”Our goal is to make money, and not creating problems for society,” DarkSide said.  The FBI/CISA advisory also includes advice and best practices for preventing or mitigating the threat of ransomware.  “CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations […] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections,” the agencies say. “These mitigations will help CI owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.” Other recommendations include: Multi-factor authentication for remote access to IT networks Spam filters to mitigate phishing, network traffic filters Employee training programs Frequent patch processes Implementing security audits, risk assessment  RDP restrictions Anonymization service connection monitoring “CISA and the FBI do not encourage paying a ransom to criminal actors,” the agencies added. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Perth city
Image: Getty Images
The Auditor-General of Western Australia on Wednesday tabled a report into the computer systems used at 50 local government entities, revealing 328 control weakness across the group.It was Auditor-General Caroline Spencer’s intention to list the entities, but given the nature of her findings, all case studies included in Local Government General Computer Controls [PDF] omit entity, and system, names.”Included in the case studies are real life examples of how extremely poor general computer controls can result in system breaches, loss of sensitive and confidential information and financial loss,” Spencer said. “They serve as important reminders of the need to remain ever vigilant against constant cyber threats.”The report states that none of the 11 entities that the Auditor-General performed capability maturity assessments on met minimum targets. For the remaining 39, general computer controls audits were conducted.The audit probed information security, business continuity, management of IT risks, IT operations, change control, and physical security.Of the 328 control weaknesses, 33 rated as significant and 236 as moderate. Like last year, nearly half of all issues were about information security.2019-20 capability maturity model assessment results
Image: Office of the Auditor General 
The capability assessment results, meanwhile, showed that none of the 11 audited entities met the auditor’s expectations across the six control categories, with 79% of the audit results below the minimum benchmark.

“Poor controls in these areas left systems and information vulnerable to misuse and could impact critical services provided to the public,” the report added.”Five of the entities were also included in last year’s in-depth assessment and could have improved their capability by promptly addressing the previous year’s audit findings but, overall, did not discernibly do so.”Among the findings were entities having a poor awareness of cyber threats, with one case study revealing a user’s account details were stolen because of a phishing attack that was not detected or prevented by the entity’s security controls. “The attack resulted in a fraudulent credit card transaction on the user’s corporate credit card, which was immediately cancelled,” the report said. “Further investigation by the entity revealed the attacker downloaded 10GB of entity information in the form of sensitive emails.”Another common weakness was that entities did not have policies, procedures, and processes to effectively manage technical vulnerabilities. At one entity, public facing and internal systems sat in the same network; the same entity also did not monitor devices on its network.Many entities were also not managing privileged access to their networks and systems.One entity was found to not have changed the password for the default network administrator account since 2002, even though various staff who knew the password had since left. “We found instances where this account was used out of office hours and the entity was unable to explain this use,” the report said.Probing the management of IT risks, weaknesses found included no policies and procedures to document, assess, review, and report IT risks; key risks were not documented, meaning entities were left unaware if appropriate controls were in place to protect their information; and entities had not reviewed their risk registers within a reasonable time.IT operations, meanwhile, also revealed many weaknesses, including a lack of user access reviews, no logging of user access and activity, a lack of incident management procedures, and no requirement for IT staff privy to certain sensitive information being required to complete a background check.”At one entity, staff could redirect payments for council rates, infringements, licence and application fees to another bank account by changing a file hosted on a shared server,” the report details. “Access to the server was not appropriately controlled because staff used a shared generic account to access and manage the server.”Physical security was also flagged as weak, with one example showing an entity had no monitoring process regarding its server room, meaning anyone could access it.Further weaknesses under the physical security banner included no backups and no appropriate environmental controls to protect IT infrastructure. The report provided six recommendations, one for each of the security types audited.These included implementing appropriate frameworks and management structures, identifying IT risks, and patching.MORE FROM THE OAG More

Security researcher Mathy Vanhoef, who loves to poke holes in Wi-Fi security, is at it again, this time finding a dozen flaws that stretch back to cover WEP and seemingly impact every device that makes use of Wi-Fi. Thankfully, as Vanhoef explained, many of the attacks are hard to abuse and require user interaction, while others remain trivial. Another positive is Microsoft shipped its patches on March 9, while a patch to the Linux kernel is working its way through the release system. The details of FragAttacks follow a nine-month embargo to give vendors time to create patches. “An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices,” Vanhoef said in a blog post. “Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.” Several of the identified flaws relate to the ability to inject plaintext frames, as well as certain devices accepting any unencrypted frame or accept plaintext aggregated frames that look like handshake messages. Vanhoef demonstrated how this could be used to punch a hole in a firewall and thereby take over a vulnerable Windows 7 machine.

“The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network,” the security researcher wrote. “For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately … this last line of defense can now be bypassed.” Other vulnerabilities relate to how Wi-Fi frames are fragmented and how receivers reassemble them, allowing an attacker to exfiltrate data. Even devices that do not support fragmentation were at risk. “Some devices don’t support fragmentation or aggregation, but are still vulnerable to attacks because they process fragmented frames as full frames,” Vanhoef wrote. “Under the right circumstances this can be abused to inject packets.” Some networking vendors such as Cisco and Juniper are starting to push patches for some of their impacted products, while Sierra has planned some of its products to be updated over the next year, and others will not be fixed. The CVEs registered to due FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5. “There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices,” the Wi-Fi Alliance wrote. Vanhoef said anyone with unpatched devices can protect against data exfiltration by using HTTPS connections. “To mitigate attacks where your router’s NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them,” the researcher wrote. “More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.” Related Coverage More

Image: Getty Images
Apple stopped nearly 1 million risky or vulnerable apps from being included in the App Store in 2020 as part of efforts to protect users from being manipulated.Of those rejections, 48,000 were executed due to the apps containing hidden or undocumented features, while more than 150,000 apps were rejected because they were found to be spam, copycats, or misleading to users in ways such as manipulating them into making a purchase, Apple said in a blog post.In 2020, Apple’s app review team also rejected over 215,000 apps due to developers either seeking more user data than they needed or mishandling user data.Apple added that it terminated 470,000 developer accounts in 2020 and rejected an additional 205,000 developer enrolments over fraud concerns. It claimed that its monitoring practices resulted in these fraudulent developer accounts, on average, being terminated less than a month after they were created.”Unfortunately, sometimes developer accounts are created entirely for fraudulent purposes. If a developer violation is egregious or repeated, the offender is expelled from the Apple Developer Program and their account terminated,” Apple said.By performing these monitor protocols, in addition to preventing more than 3 million stolen credit cards from being used, Apple claimed it prevented more than $1.5 billion in potentially fraudulent App Store transactions.

Apple’s App Store update comes shortly after documents were submitted into court that reportedly scrutinised its security capability.In a 2015 email entered into court last week, Apple managers said they uncovered 2,500 malicious apps that were downloaded 203 million times by 128 million users.Despite other emails indicating that Apple was considering whether to notify affected users of the malicious apps, Apple’s legal representatives did not provide evidence that they let users know they had installed malware, according to an ArsTechnica report.The emails were submitted as part of an ongoing three-week trial for a legal stoush between Apple and Epic Games. Epic Games raised the lawsuit against Apple in August last year, accusing the iPhone maker of misusing its market power to substantially lessen competition in-app distribution and payment processes. The US lawsuit is one among many that Epic Games has raised against Apple, with the Fortnite maker seeking legal action across other jurisdictions, such as Australia, the EU, and the UK.RELATED COVERAGE More