Information Technology

2021 was a record year for the number of zero-day flaws in Chrome that attackers were exploiting before Google knew about them. Is Google losing the race against attackers? According to Google Project Zero’s zero-day tracker, there were 25 browser zero-days patched last year, of which 14 were for Chrome, six were for Safari’s WebKit engine, and four were for Internet Explorer. In 2020, there were just 14 browser zero-day flaws, of which more than half were in Chrome. But between 2015 and 2018 there were no Chrome zero-day exploits in the wild, according to the tracker data. 

ZDNet Recommends

Adrian Taylor, a technical program manager on the Chrome Security Team, says in a blogpost that the increase in browser zero-days “may initially seem concerning” and “could point to a worrying trend”. But he argues it could be a good thing because it means more zero-days are being caught and fixed.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)In other words, interpreting trends in zero-day data – such as the suggestion there was no zero-days between 2015 and 2018 – is difficult because it only includes ones that are now known about and hopefully fixed. There are likely more undiscovered ones being used out there.”We don’t believe there was no exploitation of Chromium based browsers between 2015 and 2018,” notes Taylor. “We recognize that we don’t have full view into active exploitation, and just because we didn’t detect any zero-days during those years, doesn’t mean exploitation didn’t happen. Available exploitation data suffers from sampling bias.”That’s similar to a conclusion about zero-days that Google’s Threat Analysis Group (TAG) made last year: “There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild.” Still, there were a lot of zero-day exploits discovered in 2021. Taylor offers four reasons for this. First, browser makers today are more transparent about bugs being exploited in the wild than in the past. Google Project Zero – which gives vendors 90 days to fix a bug before publicly disclosing it – has helped normalize this behavior from major software vendors.     Another factor is the demise of the Adobe Flash Player desktop browser plugin, which used to be the top target for attackers in 2015 and 2016, but browser makers and Adobe dropped support for it on December 31, 2020. “As Flash is no longer available, attackers have had to switch to a harder target: the browser itself,” writes Taylor. On top of that is the popularity of open source Chromium used by Brave, Opera, Vivaldi and so on. While Edge isn’t anywhere near as popular as Chrome, it does ship with Windows 10 and Windows 11. “Attackers go for the most popular target. In early 2020, Edge switched to using the Chromium rendering engine. If attackers can find a bug in Chromium, they can now attack a greater percentage of users,” argues Taylor. Yet another cause for the apparent rise in browser zero-days is that due to efforts to harden the browser, such as Chrome’s site isolation, attackers need to chain together multiple bugs to actually exploit a browser. So, attackers need more ammunition for the same effect.    “For exactly the same level of attacker success, we’d see more in-the-wild bugs reported over time, as we add more layers of defense that the attacker needs to bypass,” he notes. SEE: How Russia’s invasion of Ukraine threatens the IT industryFinally, browser software is vast and now almost as complex as an operating system. “More complexity means more bugs,” Taylor comments.  He also points to Project Zero’s recently published research on how quickly software vendors patch flaws. Chrome was patched and released faster than WebKit and Firefox. Google is urging all vendors to implement a more frequent patch cadence for security issues. Chrome, for example, cut its stable release cycle from six weeks to four weeks. Microsoft is implemented the same cycle for Edge from version 94’s release in September.   Project Zero has tracked all zero-days for browsers.
Image: Google More

Image: Getty Images
The NetWalker ransomware gang affiliate who was sentenced to seven years in prison by Canadian courts at the end of January was extradited to the United States on Wednesday, where he will face further charges related to his participation in the gang. Sebastien Vachon-Desjardins, a Canadian citizen, received the Canadian prison sentence after he pleaded guilty to five charges related to “theft of computer data, extortion, the payment of cryptocurrency ransoms, and participating in the activities of a criminal organisation”. The charges in Canada were for Vachon-Desjardins’s involvement in 17 ransomware attacks that caused at least $2.8 million in damages.  He also received an additional 54-month sentence in Canada for trafficking drugs in Quebec in the following weeks. Vachon-Desjardins’ extradition to the United States was originally set for an earlier date, but was delayed due to the Netwalker affiliate’s drug trafficking charges in Canada being outstanding. With Vachon-Desjardins now in the United States, he faces further charges that accuse him of conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer. If convicted in the United States, the 34-year old Canadian man could be required to forfeit over $27 million for his involvement with the NetWalker ransomware gang. Vachon-Desjardins was arrested by Canadian police in January 2021 as part of an international law enforcement campaign targeting NetWalker. After his arrest, law enforcement authorities discovered and seized 719 Bitcoin, valued at approximately $28.1 million, and around CA$1 million from Vachon-Desjardins’s home in Gatineau, Canada. “As exemplified by the seizure of cryptocurrency by our Canadian partners, we will use all legally available avenues to pursue seizure and forfeiture of the alleged proceeds of ransomware, whether located domestically or abroad,” US Justice Department assistant attorney-general Kenneth Polite Jr said. “The department will not cease to pursue and seize cryptocurrency ransoms, thereby thwarting the attempts of ransomware actors to evade law enforcement through the use of virtual currency.” Related Coverage More

A prolific botnet used to deliver malware, ransomware and other malicious payloads is spreading itself by hijacking email conversations in order to trick PC users into downloading it in what’s described as an “extremely active” phishing campaign.Qakbot has plagued victims since 2008, since starting life as a banking trojan designed to steal usernames and passwords. The malware has continually added new capabilities, making it more dangerous and more effective. A recent campaign has been detailed by cybersecurity researchers at Sophos, who’ve warned that Qakbot is hijacking email threads to spread itself to more victims.By hijacking ongoing email threads between real people, there’s a better chance that the phishing attacks will be effective because those receiving the message are likely to trust a sender they know and have received emails from in that same thread already.Qakbot attacks are automated, spreading via the infected Windows computers of people who’ve already unwittingly fallen victim. Once installed on a compromised machine, Qakbot downloads a payload which hunts for email accounts,  stealing the username and passwords required to get into them.Automated tools then go through the inbox and use the compromised account to send out phishing emails using reply to all to existing email threads, quoting the original message being replied to make the response look more authentic. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)These messages generally contain a snippet of brief text content with a request to look at an attachment, often a zip file. The messages can be sent out in a variety of languages, tailored to the language the original emails have been sent in. While generic messages relating to paperwork or documents might seem too bland to lure people into opening malicious attachments, the fact that the messages look like they’re coming from someone the user knows, and has been talking to, could encourage them to let their guard down and open the file.Anyone who does this risks their device being infected by Qakbot, leaving any sensitive information or accounts on the machine ripe for being stolen. Machines infected with Qakbot can also be compromised with other malware, including ransomware. Cyber criminals can lease out the botnet to access machines infected with Qakbot in order to deliver their own malware payloads. “Qakbot is a full-service botnet that performs data theft and malware delivery services on behalf of either themselves or third parties. They clearly take advantage of credential theft to access the websites belonging to innocent third parties to use for hosting payloads,” Andrew Brandt, principal researcher at Sophos Labs told ZDNet. The malware remains what’s described as “extremely active” attempting to spread itself to new victims, while the authors Qakbot continue to add new features to it, including further obfuscating the malicious code to help it avoid detection and analysis. Users should therefore be wary of unusual emails they receive, even if they’re from known contacts, because there’s the potential that messages could be coming from a contact infected with Qakbot.”The best way to protect yourself is to train yourself to recognize when a message is out of character with the person allegedly sending it, and not to click the link to download the zip file,” said Brandt, who added that given the message is sent from the account of someone you know, you could contact them using different methods to email to check to see if it’s really them. “Verify that they intended to send you the file before you open it,” he concluded.  MORE ON CYBERSECURITY More

Getty Images/iStockphoto
Encouraging more women to pursue cybersecurity careers is “mission-critical” to filling some of the 2.5 million open jobs worldwide and tackling a global shortage of tech skills, Microsoft has said.Vasu Jakkal, Microsoft’s corporate vice president of security, compliance, identity and management, said women and people “with more diverse perspectives” were desperately needed in the cybersecurity industry to help address the evolving threat landscape and take pressure off of overburdened IT teams.

By bridging the gender gap in cybersecurity, where a lack of female representation is fuelling unequal pay and a lack of support for women, organizations can swiftly bridge organizational skill gaps as well as diversify operational thinking, which brings its own benefits in innovation and profitability, Jakkal said.SEE: Why improving diversity in cybersecurity is vital for everyoneIn 2021, women represented just 25% of the global cybersecurity workforce. A survey commissioned by Microsoft Security found that, while 83% of respondents believed there was an opportunity for women in cybersecurity, only 44% of female respondents felt sufficiently represented in the industry. Likewise, 54% of women said there was gender bias in the industry that results in unequal pay and support, compared to 45% of men.Self-limiting beliefs also need to be addressed in encouraging more women to pursue cybersecurity careers and “break through biases that limit women’s career options,” said Jakkal.Microsoft’s survey indicated that men are more likely than women (21% vs 10%) to feel qualified to apply for a cybersecurity job, whereas more women than men (27% vs 21%) believe men are seen as a better fit for technology fields. “That breaks my heart,” said Jakkal.SEE: How Women Who Code is narrowing the developer gender gap”I’ve always felt that cybersecurity is a calling but as our survey shows, the journey isn’t always easy. I’ve often been the only woman or person of color at the table. And, while I’ve tackled every challenge thrown at me, I sometimes doubted myself and struggled with imposter syndrome. Most of us do— women especially. The important thing is that over time, we find our voice and learn to speak up.”Nurturing the careers of women in cybersecurity is important for a number of reasons, said Jakkal. Security teams are already under immense strain due to a shortage of digital skills, therefore getting more women into the industry would “vastly decrease the deficit by deliberately expanding our hiring and mentorship of underrepresented groups who can bring so much to the table.”Studies have also shown that diversity is good for business, both in terms of boosting profitability as well as innovation, by bringing new ideas, perspectives and experiences to the organization. “Cybersecurity depends on it because cybercrime tactics keep evolving,” Jakkal added.SEE: When it comes to tackling diversity in tech, employers have set themselves up to fail”With all these compelling reasons to promote diversity, why is there such a shortage of women in cybersecurity?”Microsoft has partnered on a number of programmes aimed at improving female representation in cybersecurity, including Girl Security, a learning program that offers e-mentorship, professional development, and skill-building to women, girls and gender minorities interested in cybersecurity.”As you embark on a career in cybersecurity, know you are not alone,” said Jakkal. More

Businesses are reluctant to admit cybersecurity weaknesses because they fear reputational damage – but by choosing to hide their heads in the sand and ignore security vulnerabilities, they risking more significant damage to their brand if they do get hacked.Analysis by cybersecurity and bug bounty company HackerOne suggests that almost two-thirds of organisations maintain a culture of cybersecurity through obscurity, hoping that weaknesses and vulnerabilities will remain undetected or simply won’t causes issues. 

ZDNet Recommends

But by choosing to ignore vulnerabilities, organisations are leaving themselves open to cyberattacks and other security issues.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Unpatched security vulnerabilities are one of the most common weaknesses exploited by cyber criminals to successfully hack networks and software. Even patches for critical vulnerabilities are not applied by many, sometimes for years, giving hackers an easy way in for as long as the updates haven’t been rolled out.Many organisations aren’t taking security seriously because boardrooms view it as a hindrance – according to the research, two-thirds of security professionals have been told that taking care of cybersecurity is viewed as stifling to innovation. However, if employees aren’t aware of cybersecurity risks and don’t have appropriate measures put in place to maintain security, there’s the risk they could circumvent best cybersecurity practices.For example, if employees think that having to log in to enterprise software suites and use the approved collaboration tools is less effective and more time consuming than using a personal email address for sharing sensitive information, they could inadvertently expose sensitive data.Almost two-thirds of cybersecurity professionals surveyed say that their organisation has suffered a security breach as a result of staff side-stepping cybersecurity measures, while just a quarter said they’re very confident that staff are following cybersecurity best practices. The report also warns that developers are often pressured to release insecure products, putting organisations that use potentially vulnerable software at risk of being compromised. According to HackerOne, it’s vital for organisations to commit to more transparency around cybersecurity. “Security could be the difference between winning business and losing it,” Marten Mickos, CEO of HackerOne, told ZDNet. Even if organisations do fall victim to a cyberattack, being transparent about what happened can help improve the reputation of the company. Mickos cites Norsk Hydro, which fell victim to a ransomware attack and was transparent about the entire recovery process as an example of this situation. “The organisation took the responsibility to ensure frequent and candid communications with customers and the wider public, to keep everyone updated on how events were unfolding,” he said. “Not only did Norsk Hydro maintain customer trust by being transparent about what was happening, the organisation also had the power of exposing key information on the tactics being used by cyber criminals, which is beneficial to the wider industry and other organisations facing growing cyber risks,” Mickos added. MORE ON CYBERSECURITY More

Digital identity is a crowded marketplace, but Veriff believes its AI tech sets it apart.
Image: Veriff
In late January 2022, Estonia gained its sixth tech unicorn after identity verification startup Veriff raised $100 million in Series C fundingVeriff is an AI-assisted identity verification and know your customer (KYC) platform used by companies around the world to ensure their customers are who they claim to be.

Innovation

Most of the company’s biggest customers are in global fintech, where it faces competition from the likes of authentication and verification services Jumio and Fido.SEE: What is digital transformation? Everything you need to know about how technology is reshaping businessToday, Veriff is valued at $1.5 billion, joining the ranks of Skype, Playtech, Wise, Pipedrive and Bolt in Estonia’s ever-growing lineup of tech startup darlings.”It’s great that it’s done, but we cannot rest on our laurels,” Veriff founder and CEO, Kaarel Kotkas, tells ZDNet. “We have a lot of work ahead.”Kotkas is only 27, but his interest in tech and entrepreneurial tendencies stretches back more than a decade.He began experimenting with web and verification technologies while still in high school, eventually capturing the attention of billion-dollar fintech company Wise (then called TransferWise), who wanted his help testing their security systems with false IDs.In 2015, after his short stint at TransferWise came to an end, Kotkas got to work founding his own company. Three years later, Veriff has set its sights on becoming a household name in the global identity verification market In an already crowded ID ecosystem, Veriff prides itself on the sophistication and accuracy of its authentication engine: a key concern in an age of ever-more convincing, AI-generated fakes.”In the financial sector, the identity verification process has traditionally been based on three photos the user has to send: a photo of the user’s face, and photos of both sides of their document, be it a passport or some other ID,” says Kotkas. “But in the age of deepfakes, it’s quite cheap and easy to manipulate those photos.”To make fraud more difficult (and more expensive) for fraudsters, Veriff’s platform relies on video capture rather than still images to verify users’ identities. It cross-references these images with the user’s identification document (Veriff supports up to 10,000 ID types) and then combines this with additional data points to ensure that a real person is standing in front of the camera, and that they are who they claim to be.SEE: Best identity theft protection & monitoring service 2021Kotkas says that, in the right conditions, just five seconds of video footage can provide 300 frames for Veriff’s platform to analyze. In total, Veriff’s authentication technology uses more than 1,000 data points when making verification decisions, with Kotkas noting that the more data points the platform can analyze, the more accurate its system is, enabling the company to eliminate the subjective human involvement from the verification process.”We have all sorts of other data, like device data, video data [and] behavioral data, which help us to understand whether it’s a real person live in front of the camera,” he explains. Veriff aims to use the sizable funds it raised in January for hiring and R&D. Three years ago, the company had 200 employees and one lone salesperson. Today, the company has more than 400 employees in Estonia, the UK, Spain, and the US, and has plans to grow this further.Within R&D, Veriff will invest in improving the technical accuracy of the verification process further. Kotkas estimates that there are some 10,000 different devices and over 10,000 types of identification documents worldwide that can be used for identity verification, and Veriff wants to be able to use all of them with sufficient accuracy. Veriff isn’t just targeting fintech, either: the company sees several sectors where identity verification will prove critical, which it plans to go after.”We see a lot of new use cases, account recovery for example,” says Kotkas. “For 20 years, the traditional way to do it has been by providing a phone number or an email address. But it’s clear that today, it’s not the safest option to protect your account. There are so many new companies who have to look for account recovery options, meaning that we have now a wider segment of customers.”Even so, Kotkas recognizes that growing Veriff’s reputation relies heavily on the trust and recognition it is able to gain in global markets, as well as within households.”It’s like in e-commerce: no one wants to enter their credit card number on a random website, but if they know that the payment process is provided by PayPal, Adyen or Stripe, they trust it. This is what we want to achieve with Veriff as well,” he says.”If they see that it’s Veriff that provides the identity verification solution and protects their data, they will trust it, the process is smoother and then everybody is happy.”SEE: Proving who you are online is still a mess. And it’s not getting betterThere is a lot of talk about decentralization in technology, but Kotkas is adamant that this won’t affect identity verification – there needs to be a trusted authority to provide verification of identities, after all.Today, this central role is held by the governments of the world, though Kotkas believes that, in the long run, private companies such as Veriff will offer a more efficient replacement.”Maybe it’s not the state who has to solve the question of digital identity, as it’s not easy for them to keep up with the rapid developments of the internet and fraud. I think it’s easier for the state to audit three companies with whom they can cooperate when verifying data, rather than to build a layer for millions of companies themselves.”In the meantime, Veriff is focused on building its network of customers and moving towards a future where the company’s platform can operate as a single sign-on solution for their services in the metaverse, which Kotkas hopes will make the still-untamed world of virtual reality a little safer for consumers.But in the long term, Veriff’s main focus will remain on the identity verification space. “There is a strong need for it in both taking the traditional offline services such as notarized contracts or exams online, and when launching completely new services,” says Kotkas.”If we don’t solve the problem of identity verification, the growth of these services will quickly hit a glass ceiling.”

ZDNet Recommends More

Latin American e-commerce company Mercado Libre had its systems hacked in an incident that exposed information related to 300,000 users of the platform.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The NASDAQ-listed company disclosed the incident in an 8-K filing to the US Securities and Exchange Commission, noting that part of its source code had been subject to unauthorized access, exposing user data. The report did not specify when the incident took place, but the firm said it has activated its security protocols and is “conducting an exhaustive analysis”. The company did not provide details about where exactly in Latin America the issue originated. Present in most Latin countries, Mercado Libre is the region’s largest e-commerce and payments firm. The firm stressed that even though hundreds of thousands of users had been exposed, out of its base of nearly 140 million unique active users — which represents 0,2% of the total client base — critical data, including payment details, have not been accessed. Also: Manufacturing is the most targeted sector by ransomware in Brazil”According to our initial analysis, we have not found any evidence that our infrastructure systems have been compromised or that any users’ passwords, account balances, investments, financial information or credit card information were obtained”, the company said in the SEC filing, adding that it is taking “strict measures to prevent further incidents.”The Mercado Libre hack follows another major incident at Americanas.com. Malicious actors targeted this major Brazilian e-commerce retailer on February 19 in two attacks that rendered systems unavailable for days. Without providing details, the company later released a statement to its shareholders that it hadn’t found any evidence that its databases were compromised.Cyberattacks have been on the rise in Latin America. According to an IBM report on security threats, the region saw a 4% increase in cyberattacks in 2021 compared to the previous year. The research suggests that Brazil, Mexico and Peru were the most attacked countries in the region last year.As threats increase, investment in security is also on the rise: analyst firm IDC estimates that overall security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020. Of that total, spending on security solutions will reach $860 million, the analyst said, with cloud security becoming a key area of focus for Brazilian IT decision-makers. More

Yaroslav Vasinskyi, accused of being connected to the Sodinokibi/REvil ransomware group, was extradited and arraigned in a Dallas, Texas court on Wednesday. In November, the Justice Department said the 22-year-old was behind the July 2021 ransomware attack against Kaseya, which crippled hundreds of companies around the world for days. 

CyberScoop reported in November that Vasinskyi was arrested at a border crossing in Dorohusk — a Polish-Ukrainian border town — on October 8. Vasinskyi made his first appearance and was arraigned today in the Northern District of Texas.”When last year I announced charges against members of the Sodinokibi/REvil ransomware group, I made clear that the Justice Department will spare no resource in identifying and bringing to justice transnational cybercriminals who target the American people,” said Attorney General Merrick Garland. “Just eight months after committing his alleged ransomware attack on Kaseya from overseas, this defendant has arrived in a Dallas courtroom to face justice,” said Deputy Attorney General Lisa Monaco. The DOJ said Vasinskyi was brought to Dallas on March 3.According to an indictment from August, Vasinskyi was responsible for the attack on Kaseya as well as several other companies. REvil was also accused of being responsible for the ransomware attack against food supplier JBS, which paid $11 million in Bitcoin to the attackers in exchange for the key required to decrypt the network. Garland said in November that Vasinskyi — who went by the name “Rabotnik” online — was one of the masterminds behind the REvil ransomware. The indictment shared by the DOJ said Vasinskyi has been part of the REvil ransomware gang since at least 2019 and has launched at least 2,500 attacks. 

The DOJ said he made $2.3 million from ransoms after demanding a total of more than $760 million.He has been charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. He is facing a total of 115 years in prison if convicted of all counts. News of Vasinskyi’s arrest in November was paired with the seizure of $6.1 million in funds traceable to alleged ransom payments received by 28-year-old Russian national Yevgeniy Polyanin. Polyanin was also charged for his involvement with Sodinokibi/REvil.”The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin, and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, US government, and especially our private sector partners,” FBI Director Christopher Wray said at the time. “The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil.”Law enforcement officials from multiple countries were involved in disrupting the REvil ransomware gang, which went dark for the second time in October. Suspected members of the group were also detained following raids by Russia’s Federal Security Service (FSB) in January. According to the US Department of Justice, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group allegedly brought in at least $200 million from ransoms. More