Information Technology

Most organisations in Asia-Pacific realise their employees need training in digital skills, but few have put in place plans to do so. With cloud and cybersecurity amongst the top digital skills in demand, employers run the risk of missing out on key business benefits if the skills gaps remain unplugged.Specifically, the ability to use cloud-based tools such as accounting and CRM (customer relationship management) software-as-a-service (SaaS) applications emerged as the top-most needed digital skill by 2025, according to a study commissioned by Amazon Web Services (AWS). This was followed by cybersecurity skills, including the ability to develop or deploy protocols as well as techniques to maintain the security of their organisation’s digital systems and data. Conducted last August by consultancy AlphaBeta, the online survey polled 2,166 employers and 7,193 workers across seven Asia-Pacific markets: Singapore, Australia, India, Indonesia, Japan, New Zealand, and South Korea. Employers comprised business and IT managers from organisations in private and public sectors, while workers included tech and non-tech full-time employees who used digital skills in their jobs.

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

The study further revealed that technical support, digital marketing skills, and the ability to manage migration from on-premises to the cloud were amongst the top five most in-demand digital skills. Others that were in demand by 2025 included artificial intelligence and machine learning, cloud architecture design, Internet of Things (IoT) skills, and software development. The desire for digital skills also was felt by employees, especially as the global pandemic fuelled digital transformation across many enterprises.Some 88% of workers said they now needed more digital skills to keep up with changes in their job, with 86% noting that COVID-19 had accelerated the pace of digital adoption in their organisation. In particular, 64% of employees said they needed training in cloud-related skills by 2025, Emmanuel Pillai, AWS’ Asean head of education and training, said in a video interview with ZDNet. Some 54% of workers said they needed to learn how to maintain safe and secure digital systems, while 33% needed to learn how to migrate on-premises facilities to the cloud. Another 27% believed they needed skillsets in cloud architecture design to progress in their careers. However, while 97% of companies recognised the need to train their workers on digital skills, just 29% actually had implemented a plan to do so, Pillai noted. In fact, two-thirds of workers revealed they were not confident they were gaining digital skillsets fast enough to meet their future career requirements. The lack of confidence was most apparent, at 83%, amongst employees aged 55 and above, while 75% of those aged between 40 and 55 felt likewise as did 60% of workers aged 40 and below.Across the board, 93% of organisations and employees faced barriers in accessing digital skills they needed to remain competitive, with time and awareness cited as the top challenges. Some 72% pointed to limited awareness of available training courses as a barrier, while 66% noted limited awareness of the digital skills needed. Another 65% pointed to high training costs as a challenge. Amongst employees, 71% cited the lack of time to pursue training as a barrier, while 64% noted the lack of quality training. Businesses should look at long-term benefits of skills investment Organisations in this region, though, should look at the long-term benefits of digital skills training, rather than perceiving this to be an added cost, noted Genevieve Lim, Asia-Pacific director at AlphaBeta, which is part of Access Partnership.She told ZDNet that amongst organisations that did invest in digital skills training, 88% saw higher staff productivity. Another 83% reported higher employee retention, while 82% clocked increased revenue.With 80% of employees noting that the ability to learn new digital skills led to greater job satisfaction, Lim said such findings could offer insights on how companies could retain talent amidst the global mass resignation phenomenon. If left unaddressed, the gaps in cloud skills also meant organisations would miss out on benefits such technologies brought to the table, she said. For instance, they would take a longer time to innovate if they lacked the talent to help them develop and go-to-market with new products. In addition, they would not gain the cost efficiencies and productivity improvements that digital and cloud technologies were touted to deliver, Lim said. The study estimated that 86 million more employees across the seven Asia-Pacific markets would have to undergo digital skills training over the next year to keep up with technological change. This figure accounted for 14% of the total workforce in those regional markets. With Asia-Pacific enterprises in different stages of their cloud adoption journey, from migration to operating in a cloud-native environment, Pillai said AWS looked to support them across all phases with more than 250 managed cloud services. He added that the cloud vendor not only offered security-specific training and certifications, but also ensured security was “baked” into all its training programs. Pointing to the shared responsibility to safeguard cloud systems and data, he underscored the need for enterprises to understand how to secure and build secured applications. Doing so would further reduce the need to plug gaps later, he noted. He said an AWS customer was able to reduce its time-to-market by 15% to 25% because its engineers were trained to develop applications with a security-by-design mindset. This meant they did not have to spend as much time debugging and fixing bugs, allowing their company to push out the applications faster, Pillai said.RELATED COVERAGE More

At the start of this year, Symphony Technology Group (STG) announced Trellix was the new name for the business unit that resulted from the merger of McAfee Enterprise and FireEye last October.During 2021, STG picked up McAfee Enterprise for $4 billion, before paying $1.2 billion to purchase FireEye. In announcing Trellix, the company detailed the new business would focus on threat detection and response using machine learning and automation. It also said at the time not all of McAfee Enterprise would be bundled into Trellix. The remainder, which is the security service edge portfolio will now come under the newly announced name of Skyhigh Security. This includes cloud access security broker, secure web gateway, and zero trust network access. To be headed by former Cisco security senior VP and general manager Gee Rittenhouse, Skyhigh Security has been created to “satisfy the growing cloud security requirements for lager and small organisations”.”With the majority of data in the cloud and users accessing it from everywhere, a new approach to security is needed,” Rittenhouse said. “Skyhigh Security has created a comprehensive security platform to secure both data access and data use via unified policies and data awareness. Organisations can now have complete visibility and control and seamlessly monitor and mitigate security risks — achieving lower associated costs, driving greater efficiencies and keeping pace with the speed of innovation.” STG added that splitting McAfee Enterprise into two organisations allows it to “better focus on the very distinct markets” of threat detection and response, and the security service edge.  MORE SECURITY NEWS Meta shares how it detects silent data corruptions in its data centresAfter three years of testing, Meta has found its preferred approach for detecting silent data corruptions. Ditching LastPass? Here are some alternatives to tryLastPass changes to the free offering got you down? Not feeling like paying the $36 a year for the premium service. Here are some alternatives. (Updated with reader suggestion). These four types of ransomware make up nearly three-quarters of reported incidentsAny ransomware is a cybersecurity issue, but some strains are having more of an impact than others. Microsoft: Here’s how this notorious botnet used hacked routers for stealthy communicationChange your router’s default password and make it a strong one, warns Microsoft. More

Image: Getty Images
US President Joe Biden has warned local organizations to bolster their cyber defence efforts as Russia is considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine. “Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook,” Biden said in a statement. “My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks.” In light of this intelligence, Biden has called for the US private sector to act immediately to up their cyber defences. “Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” Biden said. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already reached out to critical infrastructure organizations about information and mitigation guidance to help protect their systems and networks. As part of the warning, the US government issued a guidance factsheet for organizations to take certain cyber defence actions. Among those recommendations are for organizations to mandate the use of multi-factor authentication, deploy modern security tools on computers and devices, check with cybersecurity professionals to make sure systems are patched and protected against all known vulnerabilities, update passwords across networks so previously stolen credentials are useless to malicious actors, back up data and ensure offline backups are available, run exercises and drill emergency, encrypt data, educate employees about common forms of malicious activity, and engage proactively law enforcement authorities. CISA and the Federal Bureau of Investigation (FBI) also warned satellite communications network providers last week to beef up cybersecurity efforts. The satellite warning came shortly after the two agencies, alongside European authorities, commenced investigations into a cyber attack against ViaSat’s internet service for fixed broadband customers in Ukraine. The Viasat outage started on February 28, coinciding with Russia’s invasion of Ukraine. The same day German energy firm Enercon reported remote communications to 5,800 wind turbines was down due to a satellite outage.   Related Coverage More

It started as an innocent protest. Npm, JavaScript’s package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little except add a protest message against Russia’s invasion of Ukraine. But then, it took a darker turn: It began destroying computers’ file systems. 

Ukraine Crisis

To be exact, Miller added code that would delete the file system of any computer with a Russian or Belorussian IP address. Then, its maintainer added the module as a dependency to the extremely popular node-ipc mode. Node-ipc, in turn, is a popular dependency that many JavaScript programmers use. And it went from annoying to a system destroyer. The code has undergone several changes since it first appeared, but it must be regarded as highly dangerous. Underlining its potential for damage, Miller encoded his code changes in base-64 to make it harder to spot the problem by simply reading the code. According to developer security company Snyk, which uncovered the problem, “node-ipc (versions >=10.1.1 More

Ukrainian security officials have warned of ongoing attacks by InvisiMole, a hacking group with ties to the Russian advanced persistent threat (APT) group Gamaredon. 

Ukraine Crisis

Last week, the Computer Emergency Response Team for Ukraine (CERT-UA) said that the department has been advised of new phishing campaigns taking place against Ukrainian organizations that spread the LoadEdge backdoor. According to CERT-UA, phishing emails are being sent that have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy LoadEdge.  Once the backdoor has formed a link to an InvisiMole command-and-control (C2) server, other malware payloads are deployed and executed including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and both RC2FM and RC2CL, which are data collection and surveillance backdoor modules. Persistence is maintained through the Windows registry.  InvisiMole was first discovered by ESET researchers in 2018. The threat actors have been active since at least 2013 and have been connected to attacks against “high-profile” organizations in Eastern Europe that are involved in military activities and diplomatic missions.  In 2020, the cybersecurity researchers forged a collaborative link between InvisiMole and Gamaredon/Primitive Bear, the latter of which appears to be involved in initially infiltrating networks before InvisiMole begins its own operation.  “We discovered InvisiMole’s arsenal is only unleashed after another threat group, Gamaredon, has already infiltrated the network of interest, and possibly gained administrative privileges,” ESET said at the time. “This allows the InvisiMole group to devise creative ways to operate under the radar.” Palo Alto Networks has also been tracking Gamaredon, and in February, said the APT had attempted to compromise an unnamed “Western government entity” in Ukraine through fake job listings.  CERT-UA has also begun tracking the activities of Vermin/UAC-0020, a group that has been attempting to break into the systems of Ukrainian state authorities. Vermin has been using the topic of supplies in spear phishing emails as a lure, and if opened by a victim, these emails contain a letter and password-protected archive containing the Spectr malware.  In 2018, ESET and Palo Alto Networks published research on Vermin, a group that has been active for at least the past four years, although may date back as far as 2015.  Vermin was targeting Ukrainian government institutions from the outset, with remote access Trojans (RATs) Quasar, Sobaken, and Vermin being the malicious tools of choice.  While the variants of Quasar and Sobaken were compiled using freely-available open source code, Vermin is called a “custom-made” RAT able to perform activities including data exfiltration, keylogging, audio recording, and credential theft.  In related news this month, Aqua Security’s Team Nautilus said that public cloud repositories are being used to host resources on both sides of the war, with Ukraine’s call for an “IT Army” of volunteers becoming a catalyst for public tools to launch denial-of-service (DoS) attacks against online Russian services.  It is not just RATs and surveillance-based malware that Ukrainian organizations are having to contend with. ESET has detected three forms of wiper malware – designed to destroy computer files and resources, rather than to steal information or spy on victims – in as many weeks.  The latest wiper, dubbed CaddyWiper, has been found “on a few dozen systems in a limited number of organizations,” according to ESET. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

New versions of Conti’s ransomware source code have been reportedly leaked by a researcher displeased with the group’s public declaration of support to Russia. 

As reported by Bleeping Computer, a cybersecurity researcher took umbrage when the cybercriminals publicly said they supported Russia’s invasion of Ukraine. In revenge, the individual, believed to hail from Ukraine, has been giving the ransomware operators a taste of their own hacking medicine. Conti is a Russian-speaking ransomware group that also operates a ransomware-as-a-service (RaaS) business model. While some ransomware payments are made in the millions, Coveware estimates that the average demand made by Conti members is just over $765,000.  Over the weekend, a link to the new package was published under the “Conti Leaks” Twitter handle. The source code has been uploaded to VirusTotal and while password-protected, the information required to open the file is available to cybersecurity teams.  Previously, the pro-Ukraine individual leaked an older version of the ransomware.  Stealing and releasing the ransomware’s source code gives cybersecurity researchers and vendors the opportunity to analyze the malware and potentially create denylists, defenses, and decryptors. However, on the flip side, attackers could also grab and adapt the code for their own malware campaigns.  Conti’s declaration of support for Russia’s invasion of Ukraine also led to the leak of the group’s internal chat logs. According to the logs, Conti is made up of individuals tasked with different duties – including malware coders, tests, system administrators and ‘HR’ personnel who deal with hires, as well as negotiators who deal with victims and try to ensure a blackmail payment is made.  Check Point researchers analyzed the leaked data and came to an interesting conclusion concerning the Conti hiring process: while some members are recruited through underground forums, others aren’t even told that they are interviewing with cybercriminals. Instead, some potential hires were told that they would be helping in the development of software for legitimate penetration testers and analytics. Conti is known for its devastating cyberattack on Ireland’s Health Service Executive in May 2021, and while the country’s healthcare system refused to pay the millions of dollars demanded as a ransomware payment, reports suggested that the HSE is footing a bill of over $48 million to recover.   The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI have previously warned organizations of Conti activity. It is estimated that hundreds of organizations in the United States alone have fallen prey to Conti. Last week, Google exposed the inner workings of Exotic Lily, an initial access broker (IAB) that sells network access to threat groups including Conti and Diavol. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

AvosLocker, a ransomware-as-a-service menace that launched in July 2021, continues to attack US critical infrastructure, the US Federal Bureau of Investigations (FBI) has warned in an advisory. The AvosLocker gang has targeted victims in the US within financial services, critical manufacturing, and government facilities, according to the FBI. 

ZDNet Recommends

“AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets,” the FBI’s Internet Crime Center (IC3) reports. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)AvosLocker hit the ransomware scene last year, cunningly using AnyDesk remote admin software in Windows Safe Mode to bypass anti-malware software. PaloAlto Networks’ assessed that AvosLocker is a marketing-savvy operation based on “press releases” it publishes on dark web forums to threaten victims and attract affiliates. “AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates and is capable of handling large files,” Palo Alto Networks said. The gang claims to have caused havoc at organizations in the US, the UK, the UAE, Belgium, Spain and Lebanon, with ransom demands ranging from $50,000 to $75,000.AvosLocker’s operators prefer ransom payments made in the popular Bitcoin alternative, Monero, but also accept Bitcoin at 10% to 25% above the current US dollar price, according to the FBI. The agency also warns that, in an unusual move, the gang might even phone up victims to pressure them into doing a deal.”In some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the onion site to negotiate and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations,” the FBI said. DDoS attacks are unfortunately readily available, cheap and powerful.  The Windows AvosLocker app is written in C++ and runs as a console application that logs actions on victims’ machines and allows the attacker to remotely enable or disable “certain features”. It is a so-called double-extortion racket, where the attackers both steal and encrypt data. They steal data and threaten to leak the contents via a website to pressure victims into paying. The gang also started auctioning leaks to cash in on situations where a ransom negotiation failed – a product they borrowed from the notorious REvil ransomware gang.SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysSoftware tools that AvosLocker has been observed using include the Cobalt Strike pen-testing kit, encoded PowerShell, the PuTTY Secure Copy client tool “pscp.exe”, Rclone, AnyDesk, Scanner, Advanced IP Scanner, and WinLister, according to the FBI document.The group also uses Proxy Shell bugs tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 that were disclosed in July, as well as last year’s Microsoft Exchange Server bug CVE-2021-26855. But the FBI notes that exactly how the attackers breach a target’s network depends on the skills of the AvosLocker affiliate carrying out the attack. The FBI’s advisory is another arm of the US government’s efforts via the Department of Homeland’s US Cybersecurity and Infrastructure Security Agency (CISA) to urge all organizations to patch everything and bolster cybersecurity amid fears that Russian state-sponsored hackers will target US organizations with destructive malware because of the West’s sanctions against Russia over its invasion of Ukraine. More

A new wave of suspected activity conducted by the DarkHotel advanced persistent threat (APT) group has been disclosed by researchers. Last week, Trellix researchers Thibault Seret and John Fokker said that a malicious campaign has been targeting luxury hotels in Macao, China since November 2021, and based on clues in the attack vector and malware used, the team suspects DarkHotel is the culprit.  DarkHotel is a South Korean APT that uses tailored spear phishing attacks. The APT has been active in the hospitality, government, automotive, and pharmaceutical industries since at least 2007 and tends to focus on surveillance and data theft, with business and industry leaders marked as targets.  If you’re looking to compromise high-value targets such as CEOs and other executives, it makes sense to target high-end locations they are likely to book in with. According to Trellix, major hotel chains in Macao, China — including the Grand Coloane Resort and Wynn Palace — are now among the APT’s victims.  DarkHotel’s campaign began with a spear phishing email sent to appear to be from the “Macao Government Tourism Office” to management staff in the luxury hotels, including front office and HR employees, who were likely to have access to guest booking systems.  The emails contained an Excel sheet lure requesting the completion of a form for a guest inquiry, and if macros are enabled by the victim in order to read the document, the macros trigger the download and execution of malware payloads. Once the researchers peeled back layers of obfuscation, they revealed a malware function designed to create a scheduled task for persistence and the launch of VBS and PowerShell scripts to establish a connection to a hard-coded command-and-control (C2) server disguised as a service owned by the Federated States of Micronesia.   The attack chain has a number of similarities, including the IP address and C2 infrastructure in use, as a campaign documented by Zscaler in 2021.  Normally, you would expect the APT to then execute further payloads for credential harvesting and data theft. However, in this campaign, activity suddenly stopped in January.  “We suspect the group was trying to lay the foundation for a future campaign involving these specific hotels,” Trellix said. “After researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor. […] But even threat actors will get unlucky. Due to the rapid rise of COVID-19 in Macao and in China in general, most of [the] events were canceled or postponed.”Trellix has attributed the attacks to DarkHotel with a “moderate” level of confidence, based on IP addresses already linked to the APT and “known development patterns” clues hidden in the malware’s C2 server.  However, the team acknowledges that this may not be enough for full attribution, especially when some threat groups are known to plant false flags to lead the cybersecurity community to believe their work is that of another, thereby staying under the radar.  “Regardless of the exact threat actor attribution, this campaign demonstrates that the hospitality sector is indeed a valid target for espionage operations,” the researchers say. “Executives should be aware that the (cyber) security of their respective organizations doesn’t stop at the edge of their network.” Back in 2020, Qihoo 360 attributed an ongoing wave of cyberattacks launched against Chinese government agencies and their employees to the APT.  The cybersecurity researchers said that a zero-day vulnerability was used to compromise at least 200 Sangfor SSL virtual private network (VPN) servers, many of which were used by government entities in Beijing and Shanghai, as well as departments involved in Chinese diplomacy.  While the COVID-19 pandemic has severely disrupted the travel industry and the rising cost of both living and transport may keep tourists away for longer, threat actors will continue to try and obtain valuable information from hotels and their guests.  When you’re on the road, it is advisable to keep basic security standards up, and while you can’t prevent security incidents such as the compromise of point-of-sale (PoS) systems, using mobile networks rather than public Wi-Fi hotspots is recommended, as well as the use of virtual private networks (VPN) and fully updated software.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More