Information Technology

YouTube has remained in Russia to serve as a source of independent news, according to CEO Susan Wojcicki who spoke at the Davos World Economic Forum on Tuesday where she also addressed the company’s decision to remove Russian state media from the platform.”As soon as the war broke out, we realised this was an incredibly important time for us to get it right with regard to our responsibility,” said Wojcicki.The CEO explained the company had updated its policies to remove Russian state media from its platform, as well as other content, in an effort to stem misinformation that sought to deny or trivialise the war in Ukraine. Read: YouTube moves to block Russian state-funded media globallyWojcicki added the YouTube platform had been used for “all kinds of humanitarian reasons” throughout the conflict, such as aiding medical professionals on the battlefield and educating children isolated from school as a result of the war.Further to this, the CEO detailed how Russia has been pushing citizens toward Rutube, a Russian video platform with similarities to YouTube, but added that she was not concerned by the emergence of the service.With regard to other social media and content services, Russian communications agency Roskomnadzor announced in March it was blocking access to Facebook, alleging the US social media giant had discriminated against Russian media and information resources, whilst Netflix chose to shut down its service in the country. TikTok also announced in March that it would suspend any livestreaming and new content on its video service.Meanwhile, in Davos on Tuesday, the dichotomy between innovation and health data protection was discussed by a panel of experts.Director and co-founder of Access Now Brett Solomon took a human-rights centric approach proclaiming that it’s proved to be “historically problematic” to leave human rights at the mercy of market forces, placing specific emphasis on the realm of health data.”It’s become very clear as a result of the pandemic, how important health data is to us as individuals, and we don’t know where all of that information is in terms of the contact tracing apps, in terms of where it’s being held by big pharma,” said Solomon.Wipro CTO Subha Tatavarti disagreed, pointing to the positives of retaining health data so that businesses can share information to allow for faster innovation of important medicine.On Wednesday, the Western Australian government committed AU$8 million towards data linkage reforms and public sector capabilities to address social, economic, and health issues.The funding would ensure better cybersecurity protection of sensitive health data, support health experts in conducting research, and streamline existing government services, Minister of Innovation and ICT Stephen Dawson said.”Improved linkage capabilities will enable decisions to be better informed by data and will aid researchers in their efforts to improve the health and wellbeing of all Western Australians,” said Dawson. Previously the Auditor-General of Western Australia had given state authorities a whack for security weaknesses in IT systems used in the state after a report on its contact tracing system was released earlier this month.
Ukraine Crisis More

The government lacks comprehensive data on ransomware attacks and suffers from fragmented reporting, according to a new US Senate committee report. The 51-page report from the Senate Homeland Security and Governmental Affairs Committee calls on the government to swiftly implement new mandates for federal agencies and critical infrastructure organizations to report ransomware attacks and payments to attackers. The 10-month investigation, which focussed on the role of cryptocurrency in ransomware payments, found that reporting on attacks is “fragmented and incomplete”, in part because the FBI and Cybersecurity and Infrastructure Security Agency (CISA) both claim have the “one stop” website for reporting attacks — respectively, IC3.gov and StopRansomware.gov. Since the investigation began, the US has introduced several new laws to improve ransomware incident reporting and data collection, including the Cyber Incident Reporting Act of 2021, which passed the Senate in March, 2022 under the Strengthening American Cybersecurity Act. The new laws require critical infrastructure organizations to report cyberattacks to CISA within 72 hours and ransomware payments within 24 hours. CISA said in March it would immediately share incident reports with the FBI, but the investigation found shortcomings with this arrangement. “While the agencies state that they share data with each other, in discussions with committee staff, ransomware incident response firms questioned the effectiveness of such communication channels’ impact on assisting victims of an attack,” the report states. Beyond the dual reporting functions of the FBI and CISA, there are sector-specific reporting regimes under Treasury’s FinCEN, the Transport Security Administration, and the Security and Exchange Commission, as well as reporting through FBI field offices, and some state governments.”These agencies do not capture, categorize, or publicly share information uniformly,” the report notes. It notes that the FBI’s IC3 figures on ransomware are believe by experts to be a “subset of a subset” of data. The FBI admits its ransomware data in its annual IC3 report is “artificially low” as victims only voluntarily report incidents to the FBI. Meanwhile, FBI field offices that do collect ransomware victim reports lose contact with about 25% of victims during follow-up investigations.   FinCEN would like improved reporting of financial information related to ransomware attacks to give it better actionable data about the laundering of cryptocurrency ransoms, it notes. The lack of comprehensive data impedes US responses through sanctions, law enforcement and international partnerships, as well as private sector contributions to ransomware recovery, the report said. The report calls on federal agencies to immediately implement the requirements under the incident reporting acts to share all incident reports with CISA “to enable a consolidated view of incidents from across different sectors and reported under different regulatory regimes.”The report also stresses that ransomware data collection is also critical for US national security, especially in the context of Russia’s invasion of Ukraine. “As Russia’s invasion of Ukraine continues and Russia seeks to find ways around the international finance system, the need to address these shortfalls grows. Approximately 74 percent of global ransomware revenue in 2021 went to entities either likely located in Russia or controlled by the Russian government,” the report notes. “Further, CISA and other federal agencies have warned that Russia’s invasion of Ukraine could lead to additional malicious cyber activity, including ransomware attacks, in the United States. Therefore, as the report finds, prioritizing the collection of data on ransomware attacks and cryptocurrency payments is critical to addressing increased national security threats.”  More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Shutterstock / fizkes
Zoom users are advised to update their clients to version 5.10.0 to patch a number of holes found by Google Project Zero security researcher Ivan Fratric. “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said in a bug tracker description of the chain. Looking at the way XMPP messages are parsed differently by Zoom’s server and clients, since they use different XML parsing libraries, Fratric was able to uncover an attack chain that ultimately could lead to remote code execution. If a specially crafted message was sent, Fratric was able to trigger clients into connecting to a man-in-the-middle server that served up an old version of the Zoom client from mid-2019.”The installer for this version is still properly signed, however it does not do any security checks on the .cab file,” Fratric said. “To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed.” In its security bulletin published last week, Zoom said the security researcher also found a way to send user session cookies to a non-Zoom domain, which could allow for spoofing. The CVE-2022-22786 vulnerability that allowed for downgrading the client only impacted Windows users, while the other three issues — CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 — impacted Android, iOS, Linux, macOS, and Windows. Fratric discovered the vulnerabilities in February, with Zoom patching its server-side issues the same month, and releasing updated clients on April 24. Related Coverage More

Image: Blue Planet Studio / Shutterstock
The number of decentralized finance (DeFi) and blockchain projects grew massively during the past year, but their increased popularity has also piqued the interest of cyberattackers – who managed to steal at least an estimated $1.8 billion in 2021.

The blockchain is a digital ledger that records transactions in a way that is difficult to tamper with or change. As a result, these technologies have tremendous potential for managing cryptocurrency assets and transactions, as well as for facilitating smart contracts, finance, and legal agreements.SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsIn recent years, the blockchain has led to the emergence of decentralized finance. DeFi financial products and systems are an alternative to traditional banks and financial services, relying on decentralized technologies and smart contracts to operate. DeFi, NFTs, and cryptocurrencies are now popular targets for threat actors, who take advantage of vulnerabilities, logic errors, and programming flaws – as well as performing phishing campaigns to steal digital funds from their victims. In May, Microsoft introduced the term ‘cryware’ to the standard dictionary of digital threats, including malware, infostealers, cryptojackers, and ransomware. The new term describes malware designed to harvest and steal information from non-custodial cryptocurrency wallets, otherwise known as ‘hot wallets’.While the blockchain facilitates the infrastructure digital wallets need for transfers, deposits, and withdrawals, hot wallets are stored locally and so might be susceptible to theft. On Tuesday, cybersecurity researchers from Bishop Fox published an analysis of the significant blockchain and DeFi heists that occurred in 2021. The cybersecurity firm analyzed $1.8 billion in losses. There were 65 major ‘events’ examined by the team, of which 90% were considered to be “unsophisticated attacks”.
Source: Bishop Fox | CryptoSec
According to the researchers, DeFi projects experienced an average of five significant cyberattacks per month, with peaks in May and December.The main attack vectors in 2021 were:51%, smart contract vulnerabilities18%, protocol and design flaws10%, wallet compromise6%, rug pull, exit scams4% key leaks4%, frontend hacks3%, arbitrage2%, cryptocurrency-related bugs2%, front runs (transactions queued with knowledge of future exchanges)”We can see that in most cases, the attack came from a vulnerability in smart contracts or in the very logic of the protocol,” the researchers noted. “This is not surprising for a recent technology that may lack a certain technical hindsight on the implementation of security measures.” When it comes to the types of vulnerabilities exploited in smart contracts, the most common issues exploited by threat actors are well-known bugs, vulnerabilities contained in forks, and sophisticated attacks. Rug pulls and exit scams have also been recorded to a lesser degree. However, many of these attacks could be avoided with robust auditing and testing before production. Developers using forks, too, should check their codebases regularly for any security issues impacting a DeFi project’s source code. “We can say without hesitation that DeFi is currently a tasty target that attracts thieves looking for big and fast gains,” Bishop Fox says. “This observation is obvious given the youth of this technology and the fact that it’s all about the money. “Rare are the technological advances and developments that have never run into problems. In the same way that the first computers were networked without really considering the possibility of spreading a virus, DeFi developers tend to seek innovation in their algorithms more than protection.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
Card-skimming malware is increasingly using malicious PHP script on web servers to manipulate payment pages in order to bypass browser defenses triggered by JavaScript code, according to Microsoft. Microsoft threat researchers have observed a change in tactics used by card-skimming malware. Over the past decade, card skimming has been dominated by so-called Magecart malware that relies on JavaScript code to inject scripts into checkout pages and deliver malware that captures and steals payment card details.  

Injecting JavaScript into front-end processes was “very conspicuous”, Microsoft notes, because it might have triggered browser protections like Content Security Policy (CSP) that stop external scripts from loading. Attackers found less noisy techniques by targeting web servers with malicious PHP scripts.SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsMicrosoft in November 2021 found two malicious image files, including one fake browser favicon, being uploaded to a Magento-hosted server. Magento is a popular e-commerce platform. The images contained embedded PHP script, which by default didn’t run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently signed-in, in order to only target shoppers. Once the PHP script was run, it retrieved the current page’s URL and looked for “checkout” and “one page”, two keywords that are mapped to Magneto’s checkout page. “The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn’t run the said code. Based on previous similar attacks, we believe that the attacker used a PHP ‘include’ expression to include the image (that contains the PHP code) in the website’s index page, so that it automatically loads at every webpage visit,” Microsoft explained.There has been a rise in the use of malicious PHP in card-skimming malware. The FBI last week warned of new cases of card-skimming attackers using malicious PHP to infect US business’ checkout pages with webshells for backdoor remote access to the web server. Security firm Sucuri found that 41% of new credit card-skimming malware observed in 2021 was related to PHP skimmers targeting backend web servers. Malwarebytes earlier this month said Magecart Group 12 was distributing new webshell malware that dynamically loads JavaScript skimming code via server-side requests to online stores. “This technique is interesting as most client-side security tools will not be able to detect or block the skimmer,” Malwarebytes’ Jérôme Segura noted.  “Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell.”       But malicious JavaScript remains part of the card-skimming game. For example, Microsoft found examples of card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. This can trick admins into thinking the scripts are benign.  More

It was one of the largest cyber-espionage attacks of recent times: hackers compromised several United States government federal agencies as well as big tech companies, and were inside networks for months before anyone spotted them. These attackers were later revealed to be working for the Russian foreign intelligence service (SVR), and they started their attack in an unexpected way, by targeting a software company called SolarWinds. The hackers accessed builds of the company’s Orion software, and then placed malware into software updates sent out to SolarWinds customers between March and June 2020. The software is used by thousands of organisations around the world. Applying security updates and patches is generally regarded as good cybersecurity practice to protect against software vulnerabilities being exploited to facilitate cyberattacks, so organisations around the world installed the Orion updates from a source they trusted. But it was that action itself that allowed the attackers in. 

ZDNet Recommends

“It became clear early on the threat actor employed novel and sophisticated techniques indicative of a nation-state actor and consistent with the goal of cyber espionage via a supply chain attack. In addition, the operational security of the threat actor was so advanced, they not only attacked SolarWinds but were able to leverage the Sunburst malicious code and avoid detection in some of the most complex environments in the world,” SolarWinds said in its investigation after the attack.SEE: A winning strategy for cybersecurity (ZDNet special report)Among those compromised by the supply chain attack were the US Treasury Department, the Department of Homeland Security, the US Department of State, as well as cybersecurity companies including Microsoft, FireEye and Mimecast. In total, somewhere around 100 companies were targeted by the attackers.Attackers had been active in the network for months before the attack was discovered in December 2020, when FireEye and Microsoft found intrusions into their networks.  The attack on SolarWinds was disclosed just weeks before Sudhakar Ramakrishna was set to take up his new position as CEO of the company in January 2021. Due to the magnitude of the situation, he chose to get involved with the company’s attempt to investigate and resolve the incident right away. “It was a stressful time for all involved,” he told ZDNet. “When the business is in a state of turmoil and crisis, there isn’t time to sit on the sidelines. The decision to jump in and start working with the team was simple.” The first thing that had to be done was to examine what exactly had happened, how it had remained undetected for so long, and how to ensure it can never happen again. Part of that involved bringing in the services of Krebs Stamos Group – a cybersecurity consultancy set up by former US government cybersecurity chief Chris Krebs, and Stanford University professor and ex-Facebook chief security officer Alex Stamos. The UK’s National Cyber Security Centre (NCSC) was also involved in helping SolarWinds in the aftermath of the incident.  But one policy Ramakrishna wanted to introduce from day one was the concept of ‘Secure by Design’ – building products with security more than anything else in mind. Many organisations and software developers say they take security seriously, but when there’s deadlines to meet or products to repeatedly roll out updates for, software security can often get left on the sidelines. “The notion of secure by design, I had it in my mind and in practice at some level well before I joined SolarWinds,” Ramakrishna explains. “Between the time I came to know about the breach and the time I joined, I started formulating my thoughts in terms of how do we organise around secure by design, what does that mean and what are the various elements of that? Then essentially went about business on day one in terms of implementing that as a process.”  Much of this secure by design philosophy applies directly to the software build system, with the process now designed around cybersecurity as the priority. One of the reasons that cyber attackers were able to conduct the supply chain attack was because of the static nature of the software-building process, where everything is done within one pipeline of development. While that’s useful for developers, it also provides a handy target for the attackers.Now, SolarWinds uses a system of parallel builds, where the location keeps changing, even after the project has been completed and shipped. Much of this access is only provided on a need-to-know basis. That means if an attacker was ever able to breach the network, there’s a smaller window to poison the code with a malicious build. “What we’re really trying to achieve from a security standpoint is to reduce the threat window, providing the least amount of time possible for a threat actor to inject malware into our code,” said Ramakrishna. But changing the process of how code is developed, updated and shipped isn’t going to help prevent cyberattacks alone, which is why SolarWinds is now investing heavily in many other areas of cybersecurity. These areas include the likes of user training and actively looking for potential vulnerabilities in networks. Part of this involved building up a red team, cybersecurity personnel who have the job of testing network defences and finding potential flaws or holes that could be abused by attackers – crucially before the attackers find them. Importantly, the rest of the company doesn’t know what tactics and techniques are going to be used in tests against the network and staff – because cyber criminals and hackers don’t declare exactly how they’re going to conduct campaigns, either. “They are paid to attack our internal systems, our behaviors and our internal practices. That improves the overall security consciousness of the company and that improves the overall security posture of the company,” Ramakrishna explained. Analysis is performed to examine which techniques and vulnerabilities are successfully used to launch attacks – but crucially, nobody is made an example of. All of the information gathered from red teaming is put back into teaching everyone how to identify cyberattacks, phishing emails and other malicious activity to help drive good cybersecurity hygiene.  SEE: How do we stop cyber weapons from getting out of control?But Ramakrishna and SolarWinds know that implementing new cybersecurity procedures isn’t just a one-time initiative, it’s something that needs to be repeatedly revisited as threats change, new vulnerabilities emerge, and offensive hacking techniques evolve. “Increasingly, this will simply become part of the fabric of the company and we won’t have to talk about it in explicit terms as much as just believing in it and working on it on a daily basis,” he says, as SolarWinds works to ensure that something like the supply chain attack can’t happen again by making the network more robust and taking a more proactive approach to detecting potential malicious activity. The company also hopes to take the lessons it has learned and help its worldwide customer base improve their cybersecurity.  “We are evolving and helping them digitally transform much faster into the future,” said Ramakrishna. “My hope also is that things like the build system that we have created will become more and more standards in the industry that others can leverage as well”. By sharing what happened, SolarWinds hopes that other organisations can also learn lessons and improve their own cybersecurity strategies, because anyone can potentially be the victim of a cyberattack, particularly if those behind it have vast resources, such as the state-backed operation that breached SolarWinds. “No one is immune, so you cannot think that it will not happen to you. It could happen to you, so just be vigilant about things and constantly learn,” said Ramakrishna. “Don’t try to fight it alone or don’t wish the problem goes away because the problem is not going to go away,” he added. SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upSolarWinds is implementing secure by design in its software build process and recommends that all organisations ensure they have cybersecurity frameworks in place to help manage security at every step of the way when conducting business, no matter what that may be. Most victims of cyberattacks don’t speak out about them, and some will never publicly acknowledge they fell victim. But for Ramakrishna, the best way of showing other businesses what threats are out there and how to protect against them is to openly talk about what happened at SolarWinds – and he hopes that others can learn about what happened to help protect their own networks. “I believe the best and maybe the only way to be most safe and secure is by information-sharing more transparently more quickly,” he said. “If you are creating a situation where there is a lot of victim-shaming that goes on, then people do not step forward to highlight what they are learning”. For SolarWinds, there’s also an element of maintaining trust. The company fell victim to one of the most infamous cyber incidents of recent times and Ramakrishna argued it was only right to be transparent with customers about what happened  “I truly believe you owe it to them: how can you earn that without being transparent?” he says. MORE ON CYBERSECURITY More

IBM has expanded a program to improve the cybersecurity defenses of public schools with $5 million in grants. On Tuesday, IBM said $5 million of in-kind grants would be awarded to public schools, including K-12 institutions in the United States. While IBM’s existing grants program has previously focused on US schools, the scheme has now expanded to other countries. 

IBM said these programs are necessary to “help address cybersecurity resiliency in schools, including against ransomware.” SEE: Just in time? Bosses are finally waking up to the cybersecurity threatIn total, six grants are being awarded to US school districts. In addition, four grants are destined for Brazil, Costa Rica, Ireland, and the United Arab Emirates. Each award is worth $500,000, bringing the total to $5 million in resources and hours.  The program is part of IBM’s Corporate Social Responsibility initiatives under IBM Impact, including social, environmental, and governance projects.  IBM teams will work with schools to audit existing defenses and create playbooks for incident response. In addition, they will address cybersecurity awareness and training for staff, students, and parents, and develop a management-level strategic plan for handling communication in the aftermath of a cyberattack.  According to Emsisoft research, more than 1,000 educational establishments in the US alone suffered a ransomware attack in 2021, including school districts, colleges, and universities.  The researchers say that 2,323 local governments, schools, and healthcare providers in the US public sector became the victims of ransomware operators during the course of the past year.  “For schools, a large barrier to strengthening their cybersecurity posture often comes down to constrained budgets, which financially motivated threat actors bet on,” commented Charles Henderson, head of IBM Security X-Force. “In the event of ransomware attacks, the extreme added pressure schools experience to pay a ransom to recover their operations is a profitable wager for the bad guys.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Getty Images
Much like how car manufacturers had to be forced to implement safety features such as seat belts, Australian eSafety Commissioner Julie Inman Grant believes social platforms and tech giants need to be guided by international standards. “What we’re saying is this era of technological exceptionalism has got to end,” Inman Grant said on a panel at the World Economic Forum on Monday. “We’ve got food safety standards, we’ve got consumer protection laws, we need the companies assessing their risks and then building the potential protections in as a forethought, rather than an afterthought … embedding those digital seatbelts and erecting those digital guardrails.” As the world hurtles towards a future that could include augmented reality, metaverses, and other different realities, Inman Grant said such experiences could be supercharged, and that also includes when users are harmed in such environments. “If we don’t learn the lessons of the web 2.0 world, and start designing for the governance and safety by design, and security and privacy for the metaverse world — I mean, what could possibly go wrong with full sensory haptic suits, hyper-realistic experiences, and teledildonics all coming together in the metaverse?” the commissioner said. “If there’s no accountability and no transparency, we’re kind of ignoring that human malfeasance will always exist, and so, how are we going to remediate harm?” Taking a wider view, Inman Grant said as the world gets more polarised and binary, a new balancing of rights may occur. “I think we’re going to have to think about a recalibration of a whole range of human rights that are playing out online — from freedom of speech, to the freedom to be free from online violence, or the right of data protection, to the right to child dignity.” Inman Grant earlier told the forum that freedom of speech does not equate into a total free-for-all, and her agency had seen success in getting harmful content taken down. “Just this week, I issued about AU$4.5 million to a number of sites mostly based in the United States that are hosting the Buffalo manifesto and the gore material.” The eSafety office gained the ability last year to issue takedown notices backed by civil penalties of up to AU$550,000 for companies and AU$111,000 for individuals. See also: Misinformation needs tackling and it would help if politicians stopped muddying the waterExecutive director and co-founder of Access Now Brett Solomon said there was a chance a “state-centric online policing framework” such the eSafety office was not creating a safer internet or world, and could be a dangerous precedent for less liberal nations. “What [esafety] is engaged in — this is a very live experiment on society in real time. And how do we actually know the results?” he said. “How do we know that our communities are safer as a result of this massive, legislative and regulatory model that’s sending a message to the rest of the world, there’s a big risk here that maybe it’s not actually working.” Inman Grant retorted that the agency has helped thousands of people that would not have been able to get  content removed due to not being able to bridge the power gap between themselves and the tech giants and social platforms. Finnish Minister of Transport and Communications Timo Harakka said it was better that any adjustment on rights was done openly and democratically, rather than allowing tech giants to impose decisions themselves. Harakka cited the example of the social platforms eventually getting around to removing former US President Donald Trump. “Twitter and Facebook never saw problem, suddenly they shut down Trump’s Twitter account. So there was a problem but we never got to the real point: What exactly was the policy there?” he said. Harakka said it was “very, very dangerous” that the algorithms used on social platforms have no transparency.”For instance, as soon as the war in Ukraine and the Russian invasion or attacks started, the second most recommended YouTube video was ‘Why West is culpable of this attack to Ukraine’,” he said. “So what was this algorithm about? So it’s promoting this binary world view, promoting aggression, and these algorithms are in many ways something that need [investigation] while taking care of free speech.” Related Coverage More