Information Technology

Like a cybersecurity version of “The Bachelor,” Mandiant gives its final rose to Google. The idea of a standalone Mandiant, re-obtaining the prestige it once held in the cybersecurity industry, made for a great story but an unlikely proposition long term.

ZDNet Recommends

 M&A was always the destiny for Mandiant, the only question being the winning bidder. The long and unproductive marriage to FireEye sees both companies making some interesting choices after their public, corporate divorce. FireEye combined with McAfee to become Trellix. And today, Mandiant announced an engagement to a suitor with deep pockets in Alphabet via GCP.   If we were browsing our ex-significant other’s social media sites, we would definitely say that Mandiant found a more attractive and compelling match. But that raises the question: “What if Google is just the rebound acquirer?” Let’s take a dive into what each company gets from this pairing.  Rebuilding Mandiant will take time. And lots of money.   Mandiant spent too long tied to an all- FireEye ecosystem for its MDR offerings and other associated security services and only just diversified in the last year or two to support a more open ecosystem. Because of this, Mandiant forfeited some of the prestige of its once elite Incident Response practice primarily to CrowdStrike, and watched its competitor rocket ahead of it in terms of market valuation, stock price, attach rate, and customer penetration.   Mandiant does have a strong portfolio of services and intellectual property in areas such as MDR, attack surface management (ASM), and Security Validation (its breach and attack simulation offering). However, expanding that stable of intellectual property is a capital-intensive process — requiring substantial commitment to research and development — or deep pockets to make acquisitions. And valuations for public and private cybersecurity companies are sky-high at the moment.   Google is playing catch up by spending its way to portfolio parity  Google’s cybersecurity efforts began with internal initiatives like Project Zero and relatively early adoption of Forrester’s Zero Trust approach to cybersecurity via Beyondcorp. The VirusTotal acquisition did signal Google’s interest in commercializing cybersecurity years ago. However, GCP pivoted towards an enterprise-focused commercial capability somewhat late, with X launching Chronicle in 2018 and Google Cloud acquiring it in 2019. That late start demands a premium to catch up; one Alphabet appears willing to pay.Mandiant expertise will accelerate the expansion of the Google Cybersecurity Action Team led by GCP’s CISO Phil Venables. This acquisition comes just after GCP added Siemplify to its arsenal, making its primary offerings a combination of Security Analytics and SOAR capabilities with Chronicle and Siemplify, and now Mandiant’s services heavy portfolio of solutions. GCP will also need to sort out the impact on the rest of its ecosystem. For now, GCP relies on partnerships for a complete XDR offering, and Mandiant’s MDR service coupled up with direct Google competitor Microsoft via Defender.This acquisition also augments Google Project Zero with an infusion of sophisticated practitioners in forensics, malware analysis, threat intelligence, and security research. Now two well-regarded research teams get to mix and match information and expertise, which could lead to interesting advancements and discoveries in attacker activity and techniques to defend enterprises. Mandiant’s Incident Response expertise coupled with VirusTotal data and Project Zero caliber talent could launch a new era of cybersecurity discoveries as the two teams come together. Google and Microsoft compete extensively for enterprise business, and if Google severs the information sharing that occurs between Mandiant and Microsoft. Google needs to commit to extending these relationships for this era of discoveries to materialize. Not doing so would be a mistake and a loss of epic proportions for the entire industry. Cloud competition becomes a contest for cybersecurity dominance  Forrester predicted the Tech Titans would next fight over cybersecurity. This acquisition spree is not over. GCP still has major portfolio gaps in endpoint, which it’s tried to solve via partnerships… for now.   Given that GCP needs EDR to gain full ownership of the technologies that comprise its XDR offering, its next shopping list likely includes an EDR tool. GCP wants to become a top-tier cybersecurity player, and its acquisitive actions match its goals.   Mandiant brings more to GCP than vice versa in capabilities and prestige, which gives us pause. Mandiant needed an acquirer with a complete cybersecurity product portfolio, deep pockets, and strong relationships with enterprise buyers. GCP brings one of those while it continues to pursue the others. Both companies place a premium on expertise as part of their culture, which does set this up as a better pairing than Mandiant’s prior matchup.   This post was written by VP, Principal Analyst Jeff Pollard, and it originally appeared here. More

A prolific and likely state-backed hacking group repeatedly targeted several US state governments by using software vulnerabilities in web applications and then later scanning for Log4j vulnerabilities within hours of the vulnerability coming to light in order to maintain their access.  Cybersecurity researchers at Mandiant have detailed how APT41, a state-sponsored cyber espionage and hacking group working out of China compromised at least six US government networks, as well as other organisations, sometimes repeatedly, between May 2021 and February 2022. The US Department of Justice indicted APT41 hackers in September 2020, but it doesn’t appear to have had an impact on the persistent nature of the attacks. According to analysis of the attacks, many of the initial compromises came in June 2021 via targeting insecure web applications. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Then in December 2021, a zero-day vulnerability in the widely used Java logging library Apache Log4j was disclosed, and the researchers at Mandiant say APT41 began exploiting the Log4j vulnerability almost immediately.”Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two U.S. state governments as well as their more traditional targets in the insurance and telecommunications industries,” Mandiant said.While a patch was released when the vulnerability was disclosed, the ubiquitous nature of Log4j means that many organisations did not know it was part of their tech infrastructure.No matter which vulnerability was being used, once inside the networks, APT41 tailored malware to the victim’s environment in order to make the attacks as effective as possible. When a new vulnerability which could be exploited appeared, the attackers didn’t abandon their previous compromise, but rather exploited the new vulnerability to gain additional persistence on the network. While the focus of the campaign was around compromising US government networks, APT41 attacks also targeted other industries, including insurance and telecommunications. It’s still uncertain what the overall goals of this particular APT41 campaign is because these hackers also often dabble in moonlighting for their own personal gain.  “APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability,” the report said. This recent campaign is another reminder that state level systems in the US are under pressure from nation-state actors like China, as well as Russia said Geoff Ackerman, principal threat analyst at Mandiant. “A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world,” he added. State-backed hacking groups, as well as cyber criminals are quick to exploit unpatched vulnerabilities. One of the key things which organisations can do in an effort to avoid falling victim to attacks exploiting software vulnerabilities is to apply any patches or security updates as quickly as possible. MORE ON CYBERSECURITY More

If you dabble in bitcoin or other cryptocurrencies, then you may be able to get away with storing your private keys in a software wallet. But if you are serious about crypto, are mining your own bitcoins, or have serious cash invested in crypto, then a hardware wallet is something that you need to seriously consider.

A cutting-edge hardware wallet

Here we have a compact hardware wallet that not only holds your cryptocurrency private keys but can also be a device that can be used to store passwords and even be used as a U2F hardware token.The Trezor Model T is easy to use thanks to its touchscreen display. Another nice feature of the Model T is that it is quick and easy to set up; you can be up and running after going through three simple setup steps.Yes, the price has gone up in recent months (as have most things, in particular, cryptocurrency-related things), but this still remains the best hardware cryptocurrency wallet you can buy. ProsStore passwordsU2F hardware tokenSetup in three simple stepsTouchscreen displayConsPrice has gone up

Simplified version of the Trezor Model T

Need a hardware crypto wallet that costs under $100? Take a look at the Trezor One. This is a cut-down, simplified version of the Trezor Model T that’s perfect for those who want a cheaper and simpler wallet that doesn’t compromise security.There’s also a three-pack of the Trezor One available if you want to buy a set so you have backups.The price has gone up in recent months, but it remains a good deal, coming in under $100.ProsSimplified version of Trezor Model Tdoesn’t compromise securityAvailable in a three-packConsPrice has gone up

Everything is protected by a PIN code

This is a hardware bitcoin wallet that looks like a USB flash drive. The Ledger Nano S supports more than 30 different cryptocurrencies (including Bitcoin, Ethereum, XRP, Bitcoin Cash, EOS, Stellar, Dogecoin, and many more), and all ERC20 tokens, and everything is protected by an 8-digit PIN code.ProsSupports more than 30 different cryptocurrenciesprotected by an 8-digit PIN codeConsDisplay is small and isn’t a touchscreen

For those who want high security

This is the hardware wallet for those who are ultra-paranoid or who want high security. The ColdCard Mk3 device is a high-security device that is built around high-security hardware and open-source software. It also features a brilliant OLED display and a full-sized numeric keypad.You can augment the ColdCard with a range of accessories, including an adapter that allows you to power the ColdCard from a 9V PP3 battery, protecting you from attacks that might make use of a compromised USB charger.ProsBuilt around high-security hardware and open-source softwareBrilliant OLED display and a full-sized numeric keypadAugment the ColdCard with a range of accessoriesConsBitcoin only

Fireproof, waterproof, shockproof, and hacker-proof

Made from indestructible 316-marine grade stainless steel, this is a cold storage cryptocurrency wallet that’s designed and built to be fireproof, waterproof, shockproof, and hacker-proof. This is the perfect tool for keeping your seed phrases secure, which would allow you to recover your private keys in the event that you lose or break your electronic hardware wallet.ProsMade from indestructible 316-marine grade stainless steelfireproof, waterproof, shockproof, and hacker-proofConsCan be tricky to get open the first time

What is a crypto wallet?

A crypto wallet is a device that stores and manages the private keys you hold for your cryptocurrency. They act much like how you keep money in your wallet or purse, or how your bank details are stored on your credit or debit cards.

Is a crypto wallet the same as a bitcoin wallet?

Yes. Bitcoin is a type of cryptocurrency, and most hardware wallet work with a broad range of cryptocurrencies.

How did we choose these cryptocurrency hardware wallets?

There are a number of factors to consider here.Price: Not everyone wants to spend $200 on a wallet.Durability: A broken hardware wallet can leave you hating life (not to mention down the cost of the hardware), so choosing something that will last is a good investment.Reputable manufacturer: You could be trusting thousands of dollars of cryptocurrency to a hardware wallet, so you want to know that your wallet has been made by a reputable company with a track record in delivering secure and reliable products. Ease of use: Setting up a hardware wallet can be daunting enough, but it can be made all the more difficult if the documentation is poor (or non-existent) or the device itself is quirky and unpredictable.

What are the different kinds of cryptocurrency wallets?

There are two kinds of wallets: Hardware and software. A software wallet is an app that lives on your computer or smartphone, or even on the web, while a hardware wallet is a separate physical device (much like a wallet or purse). This hardware wallet is connected to a PC or mobile device to carry out transactions.Software wallets range in price from free to, well, not free, so they are great for those starting out. Since hardware wallets cost you money, there’s a financial investment that you have to make right from the beginning.

Why do you need a hardware wallet?

It’s important to note that you don’t need a hardware wallet to buy, store, or send bitcoins or any other cryptocurrency. Some people hold many thousands of dollars in bitcoin or other cryptocurrencies and don’t use a hardware wallet.However, where hardware wallets shine is the improved security that they offer compared to an app that lives on a smartphone, computer, or in the cloud. Having a device that puts an air gap between your private keys and other apps, the internet, and the bad guys offers vastly improved security from hackers and viruses.Hardware bitcoin wallets put you in complete and total control over your private keys.

What are the pros and cons of hardware crypto wallets?

ProsImproved security: Total air gap between your private keys and everything else.Better control: You hold your keys and can keep them separate from all your other devices.Easy transportation: Bitcoin hardware wallets are small and easily transported. But they can also be stored securely in a safe or safety deposit box.No reliance on a third-party app or web service: Apps and services come and go.ConsCost: Hardware bitcoin wallet solutions aren’t free.Extra complexity: There’s always a learning curve with hardware, and some bitcoin wallets have quite advanced features that will have you reaching for the manual.Loss, destruction, theft: Hardware can break, be lost, be stolen, become obsolete, or succumb to all sorts of mishaps.Another thing to take care of: If you need to make a transaction, you’ll need your wallet!

What should you consider when buying a cryptocurrency hardware wallet?

Yes, a hardware bitcoin wallet offers greater security, but you still need to make sure that you are buying a decent device from a reputable source.You also need to decide how much security you need. For some, having the air gap of a separate wallet is good enough, while others will feel the need to beef up security, and have a device that offers higher levels of security, biometrics, and even isolating the device from possible sources of attack, such as USB chargers.You also need a backup, just in case. Maybe this is another hardware wallet, or maybe you’re going to go for a “cold storage” solution that might include having your private keys printed on paper, or even engraved, stamped, or etched into metal.Another consideration is price. Unless you’re planning to hold huge cryptocurrency investments, then it might sting a bit to spend over $100 on a wallet.

ZDNet Recommends More

Several tech firms have partnered with Whistic to create a consortium focused on sharing cybersecurity information with customers. Whistic — which created a network for assessing, publishing and sharing vendor security information — will work with tech companies like Okta, Airbnb, Zendesk, Asana, Atlassian, Snap, Notion, TripActions and G2 on The Security First Initiative.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

The initiative seeks to combat third-party data breaches by using Whistic Profiles as a standard for assessing and sharing cybersecurity details.  “Just like Asana believes collaboration and transparency between internal teams are mission-critical, we also believe it’s mission-critical to establish transparent and trusted relationships with our customers and third-party vendors,” said Sean Cassidy, head of security at Asana. “That’s why we’re excited to join with so many leading companies and see the industry collectively embrace the Security First Initiative.”Some now use Whistic Profiles in place of the typical questionnaires used for vendor assessment requirements. Gen Buckley, senior manager of customer assurance at Okta, said the Security First Initiative and the recently released MVSP security baseline both “demonstrate the importance of working together to improve security for all our mutual customers.”Also: FBI warns of online scammers impersonating government officials, law enforcementThe initiative will see the companies share their security information proactively with their customers using a Whistic Profile. Whistic CEO Nick Sorensen said the future of vendor security must be built on a foundation of collaboration and added that the “dual-sided, network approach to vendor security is the only way to meet the needs of both buyers and sellers in the ecosystem.””It’s also the most efficient way to make transparency the expectation in vendor security, and when that happens, everybody wins,” Sorensen said. A Whistic spokesperson told ZDNet that most companies now require a security or privacy assessment yet wait until the end of the purchasing process to evaluate the security of the vendor they are purchasing from. Some vendors may also take weeks or months to satisfy those requests fully.”This results in elongated sales cycles and a growing friction between vendors and their customers. Whistic and the founding members of the initiative spoke about the need for the industry to flip this entire process and lead with security first, as opposed to at the end of the process,” the spokesperson said. “At the heart of this is a more transparent, proactive approach to sharing security information than has existed historically. The traditional approach has been very black-box, with both parties not communicating well and approaching it in an almost adversarial manner as opposed to treating it like the partnership that it is. We are collectively excited for more companies to approach vendor security in a more collaborative and transparent manner moving forward.”G2 CEO Godard Abel added that their 2021 Buyer Behavior Report found that security is now the number consideration for buyers in the purchasing process. More

Let me make this as simple as possible for you — everyone should be using a password manager. What is a password manager? It’s an app, or, more commonly these days, a combination of online service and app, that safely and securely stores your passwords, and also makes them available on all your devices.For some people, this might be the one built into the browser or operating system, or a separate standalone app (and for some, it’s a physical notebook, which I don’t approve of, but think is far better than nothing).For me, a good password manager is one that you can install on all your devices, so you get access to your passwords no matter what device you are using. This not only makes accessing your passwords easy, but also means that you’re less likely to break the two Prime Directives of passwords — using weak passwords or reusing passwords.There are many password management apps and services out there but one of the biggest names in the field is 1Password.What is it that sets 1Password apart from the rest?

LikeEasy to usePacked with great featuresEmergency Kit helps prevent account lockouts

Don’t LikeNo free plan

There are a few features that I really like about 1Password. Security breach alerts — These let you know if your passwords have been leaked in the wild.Phishing protection — This protects you against websites that might try to steal your passwords. 1Password will only pass password details to browsers that have been signed by an identified developer — this means that hackers can’t use use a modified browser to steal your data.Emergency Kit account recovery feature — This prevents you getting locked out of your account.App and U2F key-based multi-factor authentication — An added layer of protection to prevent unauthorised access.Clipboard clearing feature — This prevents leaking your password from the clipboard data.Keylogger protection — This prevents hackers from using a keylogger to grab your data.User consent required to pass password data to the browser — This leaves you in complete control.Built-in digital wallet — Securely stores your bank card detail or ID cards.1 GB document storage — A safe and secure way to store all your important documents.As far as the apps are concerned, 1Password works across a whole range of platforms — Mac, iOS, Windows, Android, Linux, and Chrome OS, and there’s also an extension for the Google Chrome browser.I’ve tested the apps on offer across most platforms (all except Chrome OS and Linux), and it’s a very smooth, easy to use, yet secure experience. The experience differs a bit from platform to platform, but I found it to be a good experience all round, and it syncs between all devices effortlessly.One of my favorite 1Password features is the Emergency Kit. This is a PDF that contains your account email, your Secret Key, and a place for you to write down your master password. You can save this digitally, or choose to print it out and store it somewhere safe, but either way, it offers peace of mind in case you lose some valuable bit of data and can’t gain access to your passwords.All in all, it’s hard to fault 1Password. It works. It’s easy to put passwords in, it’s easy to get them out, and everything is stored securely using AES 256-bit encryption. There’s also the ability to protect access to your account using both app and U2F key-based multi-factor authentication, something that I consider to be an absolute must these days.As for pricing, 1Password has something to suit almost all budgets (except totally free, the best offer is a 14-day trial). An individual plan starts at $2.99 a month, with a 5-license family plan costing $4.99 a month. On the business side, a single license starts at $7.99 a month, with a 10-license teams starter pack costing $19.95. Note that business plans come with additional features such as 5GB of document storage space, usage reports, VIP support, and more.Apart from wishing it offered a free limited plan for those who don’t have the means to pay, this service is pretty close to perfect. I like the broad range of additional services that are offered beyond password management, the core password management experience is solid, and the apps to use on the various platform are well made, reliable, and easy to use.

ZDNet Recommends More

Microsoft has fixed a bug in the Azure Automation service that could have allowed one account owner to access another customer’s accounts using the same service. Azure Automation lets customers automate cloud management tasks or jobs, update Windows and Linux systems, and automate other repetitive tasks. 

According to security firm Orca, the bug, which it reported to Microsoft on December 6, allowed a potential attacker on the service to “gain full control over resources and data of a targeted account, depending on the permissions of the account.”SEE: What is cloud computing? Everything you need to know about the cloud explainedOrca researcher Yanir Tsarimi says the flaw he found allowed him to interact with an internal Azure server that manages the sandboxes of other customers. “We managed to obtain authentication tokens for other customer accounts through that server. Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” explains Tasrimi. Microsoft has clarified that only Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed.  However, Orca also notes that the Managed Identities feature in an Automation account is enabled by default. Microsoft says it had not detected evidence that tokens had been misused and has notified customers with affected Automation accounts. According to Orca, on December 7 it discovered several large companies were potentially at risk, including “a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more.”Microsoft explains that an Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. “Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity,” Microsoft Security Response Center (MSRC) notes. Azure Automation accounts that use another Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources weren’t impacted.   Microsoft mitigated the issue on December 10 by blocking access to Managed Identities tokens to all sandbox environments except the one that had legitimate access, MSRC explains.   More

In an examination of more than 200,000 infusion pumps on the networks of several healthcare organizations, Palo Alto Networks security researchers discovered that more than 52% were susceptible to two known vulnerabilities that were disclosed in 2019 – one with a “critical” severity score and the other with a “high” severity score.Palo Alto Network’s Unit 42 released a report examining 200,000 infusion pumps on the networks of hospitals and clinics that use their security program for IoT devices. 

ZDNet Recommends

“An alarming 75% of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers,” the researchers said. “These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”The report lists several vulnerabilities affecting most infusion pumps, including CVE-2019-12255, CVE-2019-12264, CVE-2016-9355, CVE-2016-8375, CVE-2020-25165, CVE-2020-12040, CVE-2020-12047, CVE-2020-12045, CVE-2020-12043 and CVE-2020-12041. CVE-2019-12255, which had a 9.8 rating, was found in 52.11% of all the infusion pumps Palo Alto looked at. CVE-2020-12040, CVE-2020-12047, CVE-2020-12045, CVE-2020-12043 and CVE-2020-12041 all had ratings of 9.8 and were found in at least 15% of the infusion pumps examined. Aveek Das, the Unit 42 researcher who conducted the study, told ZDNet that threat actors could potentially exploit some of these vulnerabilities to take control of pump functions, including medication dosing.Also: Some ‘Smol’ NFTs returned after Treasure marketplace exploit leads to theftDas added that the issues they discovered are “just the tip of the iceberg” and noted that it was likely that they would find similar things with other connected devices in hospitals.”We focused on infusion pumps because they are so prevalent — they account for 44% of all medical devices and are the most widely used type of connected devices in healthcare settings,” Das said.Most large hospital systems have thousands of infusion pumps, making it difficult for security teams to manage and figure out which ones need to be replaced or updated. “The most common vulnerabilities we observed that are specific to the infusion systems we studied can be grouped into several categories according to the effects they may have: leakage of sensitive information, unauthorized access and overflow. Other vulnerabilities stem from third-party TCP/IP stacks but can affect the devices and their operating systems,” the researchers explained. “We observe that a large number of vulnerabilities in infusion pump systems – and in internet of medical things (IoMT) devices overall – are related to leakage of sensitive information. Devices vulnerable to this type of issue can leak operational information, patient-specific data, or device or network configuration credentials. Attackers looking to exploit these vulnerabilities need varying degrees of access. For example, CVE-2020-12040, which is specific to clear-text communication channels, can be remotely exploited by an attacker via a man-in-the-middle attack to access all the communication information between an infusion pump and a server. On the other hand, CVE-2016-9355 and CVE-2016-8375 can be exploited by someone with physical access to an infusion pump device to gain access to sensitive information – which makes the attack less likely, but still possible for an attacker with specific motivations.”The report adds that some of the other vulnerabilities discovered could give unauthenticated users the ability to gain access to a device or to send network traffic in a certain pattern that can cause a device to become unresponsive or operate in a way that is not expected. The researchers said the vulnerabilities can lead to a variety of bad outcomes, including disruptions to hospital operations and patient care.”Continuous use of default credentials, which are readily available online via a simple search, is another major issue in IoT devices in general – since it can give anyone who is in the same hospital network as the medical devices direct access to them,” the report said. “Many IoMT (and IoT) devices and their operating systems use third-party cross-platform libraries, such as network stacks, which might have vulnerabilities affecting the device in question. For example, for CVE-2019-12255 and CVE 2019-12264, the vulnerable TCP/IP stack IPNet is a component of the ENEA OS of Alaris Infusion Pumps, thereby making the devices vulnerable.”Infusion pumps have long been a source of ire for cybersecurity experts and vendors who have spent more than a decade trying to improve their security. Palo Alto noted that the US Food and Drug Administration announced seven recalls for infusion pumps or their components in 2021 and nine more recalls in 2020.There has also been a movement to establish a base level of cybersecurity for the industry, but it has been hampered by the fact that most infusion pumps last about 10 years. This means many hospitals are using years old pumps, making it more difficult to apply newer security features. Palo Alto could not say whether these vulnerabilities have ever been exploited, and almost no expert contacted could identify situations where these vulnerabilities were used during attacks. But Casey Ellis, CTO at Bugcrowd, said medical device security issues are incredibly personal and disconcerting. “I’ve seen wireless exploitation of similar systems used to create condition which were able to dump the entire contents of an infusion pump or cause a pacemaker to discharge its battery all at once. These vulnerabilities don’t have that same kind of immediate safety implication, but an attacker could easily exploit the information leakage bugs, for example, to obtain data usable to threaten and extort a user with a similar outcome,” Ellis said. “Medical devices are intimately tied with their user, and in the case of a targeted attack, the possibilities range from extortion to surveillance to direct compromise of the individual themselves. The vulnerabilities in the report don’t seem to be directly tied to the ability to harm a user, but where there’s smoke, there is usually fire. The implication of the report is that software vulnerabilities (and lag time in patches them) is a systemic problem with medical devices. This is partly an area of important improvement for medical device manufacturers, and partly a challenge of testing and updating safety-critical systems.” More

The FBI has issued an alert over the RagnarLocker gang, a group known to use crafty techniques like running ransomware inside a virtual machine to evade antivirus detection. The law enforcement agency said it became aware of RagnarLocker in April 2020 and that, as of January 2022, it had “identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker.”

ZDNet Recommends

These include entities in critical manufacturing, energy, financial services, government, and tech. The ransomware group frequently changes its obfuscation techniques to avoid detection and prevention, it notes. SEE: How Russia’s invasion of Ukraine threatens the IT industryDeploying RagnarLocker in a stripped down virtual instance of Windows XP was one of those obfuscation methods. This tactic allowed the group to hide from local antivirus software and provided more time to encrypt files. The group was known for selecting enterprise targets only and has in the past compromised managed service provider tools to then breach their customers. The FBI’s warning is contained in a new Flash alert published in coordination with the Cybersecurity and Infrastructure Security Agency.The FBI notes that RagnarLocker still deploys within the attacker’s custom Windows XP virtual machine on a target’s site and then starts to encrypt files. “Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to operate “normally” while the malware encrypts files with known and unknown extensions containing data of value to the victim,” the FBI states. The FBI notes that if the logical drive being processed is the C: drive, it doesn’t encrypt files from the folders named Windows, Windows.old, Mozilla, Mozilla Firefox, Tor browser, Internet Explorer, $Recycle.Bin, Program Data, Google, Opera, or Opera Software. It also doesn’t encrypt files with the extensions .db, .sys, .dll, .lnk, .msi, .drv, or .exe. The FBI has published the latest indicators of compromise as of January 2022, including IP addresses, Bitcoin addresses, and email addresses used by the attackers. The FBI is also appealing for victims to provide information that might include: a copy of the ransom note, any undiscovered malicious IPs and details about unusual RDP and VPN connections, virtual currency addresses, extortion amounts, malicious files, a timeline of events, and evidence of data exfiltration.      The FBI and US Secret Service (USSS) issued an alert last month about BlackByte ransomware, noting that the malware had compromised multiple US and foreign businesses, including entities from three US critical infrastructure sectors in government facilities, financial, and food and agriculture. More