Information Technology

Singapore has released what it says is a blueprint to combat growing ransomware threat and offer guidelines on how to mitigate such attacks. These include a reference ransomware “kill chain” and recommendations on whether to pay ransom demands. Ransomware risks had increased significantly in scale and impact, becoming an “urgent” problem that countries including Singapore must address, said Cyber Security Agency (CSA) in a statement Wednesday.  “It is inherently an international problem, as attackers conduct their operations across borders and jurisdictional lines to evade justice” the government agency said. “Fuelled by illicit monetary gains, ransomware has raised a criminal ecosystem, offering criminal services from unauthorised access to targeted networks to money laundering services.”To effectively address the challenge, it underscored the need to coordinate cybersecurity, law enforcement, and financial regulatory agencies as well as support global collaboration. This had prompted Singapore to establish an inter-agency task force early this year, comprising senior representatives from various ministries and government agencies including CSA, Government Technology Agency, Ministry of Defence, Monetary Authority of Singapore, and Singapore Police Force.  The task force focused on three primary outcomes encompassing a reference model for a ransomware kill chain, which would serve as the foundation for government agencies to coordinate and develop counter-ransomware solutions. It also reviewed the country’s policies towards making ransom payments and established recommendations of operational plans and capabilities needed to combat ransomware effectively. The kill chain outlines five stages of a ransomware attack, starting from the phases before it is activated and when attackers gain access to the targeted system and and execute preparatory steps, such as data exfiltration and removal of backups. Stealth is a priority here and attackers have been known to carry out these stages months before activation, according to the blueprint. It highlighted that “prevention is better than cure”, the report noted, adding that cutting the skill chain at the initial two stages should be the priority. “Having a common reference model of a ransomware kill chain will allow countries to better understand each other, facilitate information sharing, benchmark counter-ransomware best practices, and identify gaps in existing national measures,” the task force said in the report. The blueprint also supported Singapore’s stance that payment of ransoms should be “strongly discouraged”, as doing so would further fuel the ransomware problem since that was the attacker’s main objective.Furthermore, paying the ransom neither guaranteed the decryption of data nor that the data would not be published by the hackers. The task force noted that organisations that opted to pay the ransom could be identified as “soft” targets and be hit again. In addition, payment of ransoms in such attacks under certain circumstance may breach the Terrorism Act 2002, which criminalises the financing of terrorist acts. With this in mind, the task force recommended government agencies and owners of critical information infrastructures (CII) consider the risk and notify CSA and law enforcement, in the event of a ransomware attack, before making any ransom payment.it also suggested the government looked at four key action plans, including strengthening the cyber defence of high-risk targets, such as CIIs and government agencies, as well as supporting recovery so victims of ransomware attacks did not feel pressured to pay the ransom. According to CSA, the number of reported ransomware cases totalled 137 last year, up 54% from 2020, with SMBs from sectors such as manufacturing and IT mostly falling victims to such attacks. It added that ransomware groups targeting SMBs in Singapore tapped the ransomware-as-a-service model, which made it easier for amateur hackers to use existing infrastructure to push out ransomware payloads. RELATED COVERAGE More

Ransomware attacks continue to plague nations such as Japan and Singapore, where they are expected to remain a significant concern especially for critical information infrastructure (CII) sectors. Small and midsize businesses (SMBs), too, are a growing worry as they often lack resources and more likely to fall victim to cyber attacks. Cyber attacks had been increasing in volume over the last few years and this past year was no exception, NTT’s chief cybersecurity strategist Mihoko Matsubara said in an interview with ZDNET. The Ukraine war also had prompted questions from organisations in Japan about how it would impact the cyber threat landscape, said Tokyo-based Matsubara, but noted it was difficult to determine if there was a direct correlation between the ongoing conflict and growing number of cyber attacks. She added that most companies, as they digitalised their operations, would have more IT assets and an expanded attack surface to protect, making it more difficult to safeguard their network amidst the onslaught of attacks. The heightened awareness of the potential risks, however, presented an opportunity for businesses and countries to enhance their cyber resiliency, she said.Righard Zwienenberg, ESET’s senior research fellow, said the security vendor’s research showed a drop in ransomware attacks this year, with phishing still the top threat, especially for companies in Japan.However. the figures did not necessarily indicate hackers were moving their attention away from ransomware, said Zwienenberg, who also is a member of the Europol European Cyber Crime Center’s advisory group. Instead, the drop in the number of ransomware attacks likely reflected a change in “business model” that concentrated less on lower tiered companies and more on higher value enterprises with deeper pockets. This meant hackers could demand higher ransoms from their targeted victims, he said, pointing to ransom demands last year that ranged from $4.4 million in the US Colonial Pipeline ransomware attack, to $70 million with Kaseya and $240 million involving MediaMarkt. And rather than blocking access to sensitive or customer data, he added that cybercriminals increasingly were opting for extortion, in which they would threaten to release their victims’ data and notify the public about the data breach. This would cause more damage to the targeted organisations, including financial penalty for potentially violating local data privacy regulations, and push them to pay the ransom. Zwienenberg advocated the need for regulations that would stop organisations from giving in to ransom demands, noting that there was never any guarantee ceding to such demands would lead to a full recovery of stolen data or that hackers would remove data logs. He also pointed to growing worries about CIIs amidst a shift in target towards these sectors and cyber warfare, as a result of the war in Ukraine. SMBs need help staving off attacksMatsubara, too, expressed concerns about an increase in ransomware attacks targeting hospitals in Japan as well as SMBs. Citing the Japanese National Police Agency, she noted that more than half of companies affected by ransomware attacks were SMBs, compared to one third that were large or major Japanese organisations. With SMBs an integral part of global supply chains, she urged governments and industry players to work together and identify ways, apart from funding, to provide better support to bolster SMBs’ business continuity capabilities. The Tokyo metropolitan government, for instance, rolled out a uniquely Japanese campaign that included a series of manga-styled guidebooks to better help SMBs visualise cybersecurity attacks and how they should mitigate and respond to threats, such as ransomware and business email compromise. Matsubara noted, though, that the ongoing Ukraine conflict had prompted more dialogues between governments and their local industries, as part of efforts to exchange threat intel. This was encouraging since the public sector was not always forthcoming about sharing information in the interest of national security, said Matsubara, who once worked at the Japan’s Ministry of Defence and served on the government’s cybersecurity R&D policy committee. Noting that cybersecurity was a global challenge, she said it was increasingly necessary for defence ministries to engage with the general public and business leaders so they could help local industries enhance their cyber defences and better protect infrastructures.Ensuring there was a bridge between the public and private sectors also would help shape regulations and polices that were practical, while ensuring technologies could be developed in a timely and effective way, she added. It would further encourage incident reporting and mutual sharing of threat intel, since businesses would not feel it was an unfair one-sided trade and would be better assured their insights were being taken seriously, she said. Asked how nations with dedicated cyber defence units such as Singapore should ensure these were effective, Matsubara again underscored the need for cyber intelligence sharing amongst various ministries and industry, particularly CII operators. There also should be regular joint cybersecurity exercises between government agencies, CII companies, and the cyber defence unit to test their incident response capabilities. Pointing to the ransomware attack that brought down the US Colonial Pipeline last year, she said the case demonstrated that financially-motivated cybercrimes that targeted a specific company could cause significant damage in other sectors as well as the rest of the country. Other nations also could be impacted since there were no borders in the cyber realm.The potentially wide spread and interdependencies of CII sectors, such as transport and energy, further stressed the importance for governments and the industry to participate in intelligence sharing and joint cybersecurity exercises, she said. Sociopolitical tensions such as the ongoing Sino-US trade war, though, could introduce further complexities to the global ecosystem, particularly if it resulted in the decoupling of technology infrastructures.It could mean organisations would have to support more protocols to ensure interoperability, potentially resulting in more exploits and more patches to deploy, Zwienenberg said. Businesses–in particular, SMBs–already were taking too long to roll out fixes, with known exploits left unpatched sometimes for months, he said, noting that old exploits such as Wannacry still infecting systems today. RELATED COVERAGE More

June Wan/ZDNET Three things are certain when the holiday season comes around: overeating, overspending, and my inbox being overcrowded with marketing emails from virtually every brand I’ve ever laid eyes on.  With the Black Friday and Cyber Monday hubbub dying down, now is the best time to scan your inbox, discover what brands you didn’t […] More

Image: Getty/damircudic A cruel business email compromise (BEC) gang is hacking people’s email accounts and sending messages to their contacts claiming the account owner needs to send a gift to an unwell friend in an attempt to manipulate people into sending online gift cards.  ZDNET Recommends Detailed by cybersecurity researchers at Abnormal Security, an organized […] More

Australia is beefing up its scrutiny of Medibank and will assess if further regulatory action is necessary, following a data breach that impacted 9.7 million customers. The insurance group also has pledged to share the outcome of an external review into the breach, which is believed to be the work of Russian hackers. Noting that the breach raised concerns about the robustness of Medibank’s operational risk controls, the Australian Prudential Regulation Authority (APRA) said Monday it had “intensified” its supervision of Medibank. Consulting firm Deloitte had been brought in to examine the security incident as well as Medibank’s response and effectiveness of its controls. The financial services regulator said it would determine if further regulatory action was necessary when findings of the external review were established. APRA Member Suzanne Smith said: “APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.”The government agency added that it would further intensify supervision of all entities that failed to comply with the country’s Information Security Prudential Standard CPS 234, which outlined measures they must take to remain resilient against cybersecurity incidents. “Recent cyber attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience,” Smith said. “They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it? “Cybersecurity is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community,” she added. In response, Medibank CEO David Koczkar said Monday it had been in consultation with APRA on the scope of the external review, which it had commissioned Deloitte to undertake. “We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police (AFP) investigation,” Koczkar said. The police earlier this month said hackers based in Russian were responsible for the breach, adding that it was working on “covert measures” with its international networks, including the Interpol.”AFP Commissioner Reece Kershaw said: “Our intelligence points to a group of loosely affiliated cybercriminals, who are likely responsible for past significant breaches in countries across the world. These cybercriminals are operating like a business with affiliates and associates who are supporting the business. We also believe some affiliates may be in other countries.”Adding that his team knew but were not revealing the identifies of the people behind the attack, Kershaw said ongoing investigations were focused on all parties involved. “What I will say is that we will be holding talks with Russian law enforcement about these individuals,” he said. AFP has oversight of the Australian Interpol National Central Bureau, which has direct contact with National Central Bureau Moscow. Kershaw noted that Interpol National Central Bureaus could ask for cooperation from any other National Central Bureau in investigations that went beyond local borders. “It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability,” he said.Medibank has posted updates on data compromised in the breach that have popped up on a dark web forum. In a November 20 statement, it confirmed another four files containing 1,496 records were released online, including 123 records from files previously released by the hackers. Koczkar said the company would not pay any ransom, based on the advice of cybercrime experts and belief there was only a limited chance doing so would prevent its customers’ data from being published. “Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” he said. The Australian government this month passed a legislation to increase financial penalties for data privacy violators, pushing up maximum fines for serious or repeated breaches to AU$50 million ($32.34 million), from its current AU$2.22 million, or three times the value of any benefit obtained through the data misuse, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater. RELATED COVERAGE More

For these Black Friday VPN deals, we only considered reputable and trustworthy VPN providers. There are no shortages of VPNs out there, but there is a limited number of companies that provide secure and user-friendly VPNs.Finding true VPN deals can be a bit tricky because the prices change frequently and with various subscription lengths and add-ons, it gets convoluted. Most VPNs charge less for longer subscriptions and the standard price for service is often advertised as a huge discount. But if the VPN is always available for 63% off, then I don’t consider that a sale. For the offers listed in this roundup, I based the discounted price on what I’d consider the standard offer rather than an imaginary inflated price that you’ll never have to pay. Many of these deals include additional months tacked onto a standard plan. These free months drop the average monthly cost but often the upfront price is the same, in those cases we’ve noted that the lump-sum payment hasn’t changed.We didn’t include free VPNs in our roundup because free VPN services are a mixed bag. It takes money to run a VPN and if you’re not paying then you could be bombarded with ads or stuck with a subpar service. That’s in the best-case scenario. The worst free VPNs could make money by selling your data, so it’s best to stick with a paid service if you’re taking your privacy and security seriously. More

For these Black Friday VPN deals, we only considered reputable and trustworthy VPN providers. There are no shortages of VPNs out there, but there is a limited number of companies that provide secure and user-friendly VPNs.Finding true VPN deals can be a bit tricky because the prices change frequently and with various subscription lengths and add-ons, it gets convoluted. Most VPNs charge less for longer subscriptions and the standard price for service is often advertised as a huge discount. But if the VPN is always available for 63% off, then I don’t consider that a sale. For the offers listed in this roundup, I based the discounted price on what I’d consider the standard offer rather than an imaginary inflated price that you’ll never have to pay. Many of these deals include additional months tacked onto a standard plan. These free months drop the average monthly cost but often the upfront price is the same, in those cases we’ve noted that the lump-sum payment hasn’t changed.We didn’t include free VPNs in our roundup because free VPN services are a mixed bag. It takes money to run a VPN and if you’re not paying then you could be bombarded with ads or stuck with a subpar service. That’s in the best-case scenario. The worst free VPNs could make money by selling your data, so it’s best to stick with a paid service if you’re taking your privacy and security seriously. More

Image: MS_studio/Shutterstock Many Android smartphones are vulnerable to multiple high-severity security issues that Google Project Zero reported over summer but remain unpatched, despite Arm releasing fixes for them.  Android phones equipped with Arm Mali GPUs are affected by the unpatched flaws. As GPZ researcher Ian Beer points out, even Google’s Pixel phones are vulnerable, as […] More