Information Technology

Novice hackers who didn’t know what they were doing spent months inside a government agency network without being detected – before higher-skilled attackers came in after them and launched a ransomware attack. Analysis of the incident at an unspecified US regional government agency by cybersecurity researchers at Sophos found that the amateur intruders left plenty of indicators they were in the network. Yet despite a lack of subtly and leaving a trail behind, they weren’t detected because what Sophos researchers describe as “strategic choices” made by the IT team that made life easy for them. The attackers initially broke into the network using one of the most popular techniques deployed by cyber criminals – breaching the password of internet-facing Windows Remote Desktop Protocol (RDP) on a firewall. It’s uncertain how the password itself was breached, but common methods include brute-force attacks and phishing emails. They also got lucky, because the compromised RDP account wasn’t only a local admin on the server, but also had domain administrator permissions, allowing the account to be exploited to create admin accounts on other servers and desktops. But despite all this power, the intruders didn’t seem to know what to do once they had access to the network. Analysis of activity logs suggested they used the servers they controlled inside the network to run Google searches to look for hacking tools, then following pop-up ads to pirated software downloads. Researchers say this left the server riddled with adware and the hackers unintentionally infecting the servers they controlled with malware. The victim organisation didn’t notice any of this was happening.  SEE: Cloud security in 2022: A business guide to essential tools and best practicesLog data suggests that the attackers were regularly disappearing for days at a time before returning to look around the network, occasionally creating new accounts to gain access to other machines. This continued for months, with the attackers seemingly learning how to hack networks as they went along, as well as installing cryptomining malware on the compromised servers. “This was a very messy attack,” says Andrew Brandt, principal security researcher at Sophos. “They then seemed unsure of what to do next”. But after four months, the attacks suddenly became more focused and more sophisticated. Following a three-week hiatus with no activity, attackers remotely connected and installed the password-sniffing tool Mimikatz in order to gain access to additional usernames and passwords, storing them all in a text file on the desktop of admin-level accounts they created.  These attackers also looked to remove the coinminer which had previously been installed and attempted to uninstall antivirus software on endpoints. It’s likely that the higher sophistication of the attacks mean new intruders had gained access to the network. “When you see an abrupt change in both goals and skill level in an attack like this, in which the original ingress point is at that point still open as it was in this case, the safe bet is that another attacker has entered the space” says Brandt.It was at this point the IT department noticed something strange was happening, taking servers offline to investigate – but in order to do this, they also disabled some cybersecurity protections – and the attackers took advantage.  The intruders repeatedly dumped new account credentials and created new accounts in order to continue their attacks. The logs were also wiped repeatedly, in what could have been an attempt to cover their tracks. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The new, much more sophisticated attackers also stole a set of sensitive files as they worked towards the apparent end goal of a ransomware attack, which fully encrypted some of the machines on the network with LockBit ransomware. But the attack didn’t affect all the machines and the IT department, with the aid of Sophos analysts, were able to clean up and restore services. However, the whole attack could’ve been prevented if better cybersecurity strategies were in place, as attackers were able to freely enter and move around the network without being detected – particularly as measures were implemented to improve efficiency rather than improving cybersecurity, even when it was clear the organisation was under attack. “Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance,” researchers said in the blog post. Applying multi-factor authentication to user accounts would have helped prevent them from being exploited and login notifications would’ve provided a warning that something suspicious was under way.  Meanwhile, properly monitoring the network would’ve had indicated something was wrong when the attackers were snooping around, and certainly before another set of hackers broke in and laid the foundation for a ransomware attack.  “Defenders have to keep watch on their network, whether in-house or through a managed-services partner. Keeping an eye out for smaller oddities or incidents – even something as simple as someone logging into a system at odd hours or from an unusual location – can make the difference,” said Brandt. MORE ON CYBERSECURITY More

According to Google Project Zero’s zero-day tracker, there were 25 browser zero-days patched last year, of which 14 were for Chrome, six were for Safari’s WebKit engine, and four were for Internet Explorer. In 2020, there were just 14 browser zero-day flaws.SEE: Google: We’re spotting more Chrome browser zero-day flaws in the wild. Here’s why More

A new botnet is targeting routers, Internet of Things (IoT) devices, and an array of server architectures.

On April 12, cybersecurity researchers from FortiGuard Labs said the new distributed denial-of-service (DDoS) botnet, dubbed Enemybot, borrows modules from the infamous Mirai botnet’s source code, alongside Gafgyt’s.The Mirai botnet was responsible for a massive DDoS attack against Dyn in 2016. Mirai’s source code was leaked online in the same year, and even now, botnets utilizing parts of the malicious network continue to be weapons of choice for threat actors. Gafgyt/Bashlite code is also public, and according to FortiGuard, the new Enemybot employs elements of both botnets in its attacks, joining the likes of Okiru, Satori, and Masuta. Keksec is thought to be the botnet’s operator. Keksec, also known as Necro or Freakout, is a prolific threat group connected to DDoS assaults, cyberattacks against cloud service providers, and cryptojacking campaigns. According to Lacework, the threat group is also the developer of a Tsunami DDoS malware variant called “Ryuk,” although this is not to be confused with the Ryuk ransomware family. Enemybot was first discovered in March 2022. The botnet uses Mirai’s scanner module and bot killer, which checks for running processes in memory and terminates any competitors based on a selection of keywords. The team has described the botnet as an “updated and “rebranded” variant of Gafgyt_tor” due to its heavy reliance on botnet functions sourced from Gafgyt’s codebase. Enemybot will attempt to compromise a wide range of devices and architectures through techniques including brute-force attacks and vulnerability exploitation.Seowon Intech, D-Link, Netgear, Zhone, and D-Link routers are targeted, as well as iRZ mobile routers and misconfigured Android devices. The threat actors will try to exploit both old, patched vulnerabilities and newer security issues such as Log4j. When it comes to architecture, Enemybot isn’t too picky. Desktop and server systems on arm, arm64, Darwin, and BSD are attacked, alongside many others. “This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks,” the researchers say. Once the malware has compromised a device or server, a text file is loaded with cleartext messages, such as: “ENEMEYBOT V3.1-ALCAPONE – hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] / [smart doorbell]).” Enemybot then grabs binaries, depending on the target architecture, and executes a range of DDoS-related commands. The malware can also use a range of obfuscation methods to hinder analysis and hide its presence. The botnet’s command-and-control (C2) server is hosted on a .onion domain, only accessible via the Tor network. Enemybot is still under active development. “We expect that more updated versions will be distributed in the wild soon,” the researchers say. “FortiGuard Labs will keep monitoring this botnet.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Barracuda Networks has been acquired by KKR, an investment outfit taking the company over from past owner Thoma Bravo.

Founded in 2003, Barracuda is the developer of cybersecurity solutions, including email protection, app and cloud defenses, data management, and network security. Products include Secure Access Service Edge (SASE) offerings, threat detection and response, and data inspection.The company caters to approximately 200,000 customers worldwide and focuses on small to medium-sized businesses. It appears that the cybersecurity firm recently captured the interest of KKR, an investment company that markets itself as offering “alternative asset management.” The funds managed by KKR include hedge funds, private equity, credit, and real-world assets. The acquisition was announced on April 12. Private equity firm Thoma Bravo purchased Barracuda in 2017 for $1.6 billion. At the time, the sale was intended to increase Barracuda’s growth and maximize shareholder value. Four years after being listed on the NYSE, Barracuda (CUDA) then went private. The financial terms of the deal have not been disclosed. However, the companies say that since Thoma Bravo’s acquisition, Barracuda has enjoyed growth at “over $500 million” in revenue. Reuters reports that the acquisition is worth approximately $4 billion, including debt. KKR says that Barracuda’s growth is still a priority and the investment outfit will support its expansion in areas including detection and response and SASE. “We continue to see cybersecurity as a highly attractive sector and are excited to back a clear leader in the space,” commented John Park, Head of Americas Technology Private Equity at KKR. “Given its proven track record of growth and innovation, we believe that Barracuda has the right team and model to capture business in this growing market.” The transaction is expected to close by the end of 2022, subject to customary conditions.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The RaidForums hacker forum, used by cybercriminals to primarily buy and sell stolen databases, has been shut down and its domains seized by US law enforcement as part of an operation coordinated by Europol that involved law enforcement agencies across numerous countries. “The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” US Justice Department (DOJ) assistant attorney-general Kenneth Polite Jr said in a statement. Prior to the forum’s seizure, hundreds of databases of stolen data containing more than 10 billion unique records for individuals had been offered for sale, the DOJ said. The global enforcement action, labelled as Operation Tourniquet, saw Europol, the UK National Crime Agency (NCA), US Justice Department, along with Portuguese, Swedish, and Romanian law enforcement officials work together to close the RaidForums hacker forum. The various countries worked together on this operation for at least a year through Europol’s Joint Cybercrime Action Taskforce, where officials exchanged information with each other to enable investigators to define the different roles played by the individuals who ran the marketplace, Europol said. US charges have also been laid against RaidForums’ Portuguese founder and chief administrator, Diogo Santos Coelho, who was arrested in the UK in January. Coelho has been accused of running the forum, which entailed establishing a membership scheme where users of the site could pay for access to chatrooms that allowed the exchange of links, photographs, and data linked to cyber-crime.Among the charges are conspiracy, access device fraud, and aggravated identify theft in connection with his role as the chief administrator of RaidForums. Coelho is currently in UK custody and could be extradited to the US pending legal proceedings to face these charges. Two of Coelho’s accomplices have also been arrested. One of them, a 21-year-old UK citizen, was arrested by the NCA in March but has since been released under investigation. At the time of this unnamed individual’s arrest, police officers seized £5,000 in cash, thousands in US dollars, and put a freeze on crypto assets worth more than half a million dollars. Related Coverage More

Later that day odd things begin to happen. Your phone isn’t working exactly as expected and you start receiving a deluge of what appears like harmless spam.
Getty Images
Let me set the scene for you: You’re on the go and you need to stop and get a coffee. You enter the coffee shop and the aroma is the first thing to entice you. Next, you see all the lovely people sitting around making deals, writing the great American novel, chatting, and just generally enjoying themselves. You then notice a sign that states, “Free Wi-Fi.” Score!

ZDNet Recommends

You pull out your phone, open the network connection app and notice the wireless connection doesn’t have a password.Even better.You connect to the wireless network and order your quad long shot grande in a venti cup half caff double cupped no sleeve salted caramel mocha latte with 2 pumps of vanilla substitute 2 pumps of white chocolate mocha for mocha and substitute 2 pumps of hazelnut for toffee nut half whole milk and half breve with no whipped cream extra hot extra foam extra caramel drizzle extra salt add a scoop of vanilla bean powder with light ice well stirred.While the barista brews your ridiculously complicated order, you sit down and start using all that free Wi-Fi. You send email, you communicate to team members on Slack, send SMS messages to friends and family, check-in on Facebook, and tweet the single most profound statement Twitter has ever beheld.Life is good.You get your drink and continue on as though nothing can touch you.Eventually, you leave and think nothing of your experience (other than how delicious the coffee was and how on point your Twitter game is). Later that day (or maybe the next day) odd things begin to happen. Your phone isn’t working exactly as expected and you start receiving a deluge of what appears like harmless spam.Okay, fine…all in a day’s existence, right? But then you get a warning from your bank.And you start seeing reactions to things you didn’t post or send.You check in on your bank account to find your balance is at zero.Panic sets in.What happened? You’ve always been so careful with your bank account credentials and you never share that kind of information with anyone.This can’t be real, can it?

It can and it most likely all started with you connecting to a simple password-less wireless network.The truth is, you are not safe. Your information isn’t safe, your identity isn’t safe, your mobile devices aren’t safe. Because of this, you have to take every precaution you can, which means never (ever, ever) connecting to an insecure network.Why are insecure networks so bad?The simple truth is when you connect to insecure Wi-Fi, you open your device to anyone who is also connected to that same wireless network. But why is that so bad? So what if other people can see my device on the network?Let me put this in simplest terms.Not every application you use on your mobile device encrypts your data. That means you could be submitting usernames, passwords, and even text messages in plain text. What does that mean? Simple: When you use an app that works with encryption, any data you send or receive is encrypted in such a way that it’s very difficult to read. So instead of sending the plain text “password” (which you should never use), it’ll send something like this instead:hQGMA0mnhEQQ+utUAQwAixnPWw4LcXk1Njq0zHc8RRYnlN1424RASIT+s0d9DAHe
wIwzrLemIKo0Z97aZ97g0FdmlbWbPELt4Er7O0L/4ERvaWRhW3hf7WsipX0/PAVD
Kz99IN/TT6srb6T08f6wpVCn4kuKl60Dl2630QvFxe4HtmbgzqnzqdUZ53sFknX4
TlRJw8K8lZ+/o5nW88JG+3MfKq/gd5eHIxDWLUZg5MDORhPy6FckeuF4ejWjKfzM
WCkNP+IEq7trZ6/SH724HES8nHxIiaH9CaI1D7cHckR0cvF40Xo+rCIP9Qu6Ahax
yOHqKmDhjfjV11H4MVZrhjn2zFI5jBahmUvZc0+JvtHuI/Bd26buo50Xg3co01em
kog0P9GK/4TNMtIuxupiSMryNM0l18FjWzso6ojf662nF4nDpiUQmJVCcpRhSNHO
twXM1tvmNSjN0OTf6hiU3tD4iE1N5FhTSkeq7Rz9DunraO7aILNArpt8ndbOssV5
gt5eWnsGMUR/7EK6htvA0kQBgHjl0o98rjTcvTF+pZtQSr3omSQTiafRXDxHBbT7
xbMWyNxWQ91PEDWuTtaMbqlDkxbUmqlFFJ6XgvyzqjsRqaTuCQ==
=psm9
That, my friends, is encryption. And unless your applications are all using it, you’re sending plain text over a network that anyone can access. Once connected, a bad actor could use a sniffer to intercept your plain-text data packets and read them. And the tools used to capture those packages are readily available to anyone.You might think this is just a warning that can be ignored at will. To that point, you would be right. This is a warning but it’s one you should heed. When you connect to insecure wireless networks, it’s only a matter of time before someone intercepts your data and you fall prey to any number of nefarious doings. 

ZDNet Recommends

The best mobile VPNs

Here’s how to find an effective Virtual Private Network service for both iOS-powered iPhones and Android smartphones.

Read More

Here are the reasons why you should never connect to an insecure wireless network:Anyone with the knowledge can steal your data.That’s really the only bullet point you need. And although I’d like to sugar-coat this for you, the truth of the matter is the longer you ignore this advice, the more at risk you are. What can you do?You might find yourself in a situation where you absolutely must connect to an insecure wireless network (maybe you’re out of data and have work to do). When you find yourself in such a situation, consider the possible options:Never send any passwords or sensitive information when connected to that insecure wireless network.Use a VPN (such as Tunnelbear) when connected to those insecure networks (as it will encrypt and anonymize your data).Use a more secure web browser (such as Brave or Firefox), so you can enable features like always use HTTPS and secure DNS.Enable secure DNS in your web browser of choice (so all of your searches are encrypted).Enable end-2-end encryption in the Android Messenger app (Settings > Chat features > Enable chat features) so all of your SMS messages are encrypted.

Disable sharing features as needed (so you’re not opening your device up for even more unwanted connections from bad actors).Invest in an unlimited data plan for your phone, so you never have to bother with connecting to an insecure network.Let’s break the above done. The absolute best path you can take is to invest in an unlimited data plan. Why? With an unlimited plan, you will never have a need to connect to an insecure wireless network (especially given how fast 5G speeds are). If, however, that’s not an option, I would highly suggest, at a minimum, you use a VPN every time you connect to an insecure network, work with a more secure browser and enable end-2-end encryption on your SMS apps. As you can see, other than only using your data plan, there’s no 1-step solution for this problem. And even when using your carrier data, you could up your security game by following the above advice.The same thing holds true when using a laptop and is especially true when using a Windows-based laptop. If the location you’re working in only offers an insecure network, your best bet is to tether your laptop to your mobile device and use the phone’s data plan for connectivity.I know the inclination is to roll your eyes at such warnings, but this is one you should take seriously. Do not connect to insecure wireless networks. Period. End. Of. Story. If you value your privacy and the security of your data, you will follow this advice to the letter. More

An example of DuckDuckGo for Mac’s tracker blocker in action
Duck Duck Go
DuckDuckGo, best known for its privacy-focused search engine, is bringing its equally privacy-focused web browser to desktops for the first time, starting with Macs. 

The company teased its desktop browser plans late last year, but this is the first time the company’s been able to get its hands on any version of the promised software. Like the company’s iOS and Android browsers, DuckDuckGo for Mac was built, from the ground up, to prioritize the user’s privacy at all times. This added security is powered by features like built-in access to the private DuckDuckGo search engine, pop-up cookie protection, a one-click option for clearing all browsing data, email protection, and automatically defaulting to the encrypted (HTTPS) version of all sites, and more. The new browser apparently uses macOS’ built-in website rendering engine (the same one used by Safari, DuckDuckGo noted) to provide fast load times. The company claims that these expedited loads are made even quicker by its default blocking of all ad trackers. Also: 5 best browsers for privacy: Secure web browsingDuckDuckGo for Mac is launching as a private beta, with its maker noting that some features are not yet fully implemented. Among those missing features is support for extensions. While it does plan to enable extensions at a later date, DuckDuckGo claims that the browser’s built-in password manager and ad-blocker already do the job of the two most commonly downloaded extension types without the need to install third-party solutions.It also noted that the built-in password manager is able to import your saved credentials from third-party extensions like 1Password or LastPass to make your transition easier. Also: Best password manager: Maintain all your loginsUsers interested in joining the waitlist to test out the private beta can do so by downloading one of the company’s mobile browser apps, going to its Settings menu, and tapping on DuckDuckGo for Desktop (in the “More from DuckDuckGo” section). There you’ll see an option to “Join the Private Waitlist.” Once you’re granted access, a notification from the mobile app will provide an invite code that can be used to download DuckDuckGo for Mac on your system of choice. The company noted that it is already working on a version of its browser for Windows-based PCs. However, it did not provide a timeframe for when that edition might be available.  More

Microsoft has released over 100 security fixes for software that resolve critical issues including two zero-days. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including numerous remote code execution (RCE) bugs, elevation of privilege (EoP) issues, denial-of-service, information leaks, and spoofing. In total, 10 vulnerabilities are classed as critical. Products impacted by April’s security update include the Windows OS, Microsoft Office, Dynamics, Edge, Hyper-V, File Server, Skype for Business, and Windows SMB.  Read on: The zero-day vulnerabilities resolved in this update are: CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service and is described as an EoP vulnerability. The bug has been issued a CVSS severity score of 7.0 and its attack complexity is considered ‘high’, as “successful exploitation of this vulnerability requires an attacker to win a race condition,” according to Microsoft.CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System Driver. Issued a CVSS score of 7.8, Microsoft says that attack complexity is low and the company has detected active exploitation, despite the flaw not being made public until now. Two other security issues, CVE-2022-26809 and CVE-2022-24491, are also of note. These vulnerabilities, impacting Remote Procedure Call Runtime and the Windows Network File System, have earned CVSS scores of 9.8 and can be exploited to trigger RCE.According to the Zero Day Initiative (ZDI), the patch volume level is similar to Q1 2021.Last month, Microsoft resolved 71 vulnerabilities in the March batch of security fixes. Among the bugs dealt with are CVE-2022-22006 and CVE-2022-24501, which are the only two critical bugs that were patched. In February, Microsoft patched 48 vulnerabilities, including one zero-day security flaw.In other Microsoft news, the tech giant is planning a change that could mean an end to Patch Tuesday as we know it. Dubbed Windows Autopatch, the automatic Windows and Office software update service will be rolled out to enterprise clients to make sure they have access to security fixes more quickly, rather than waiting for one monthly update — with the exception of emergency out-of-schedule releases. Windows Autopatch is set for release in July 2022. Read on: Microsoft: Windows Autopatch is coming soon. Here’s what you need to knowAlongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More