Information Technology

Bridgestone-Firestone tire factories across North America and Latin America are still struggling to recover from a cyberattack after sending workers home for multiple days. The company did not respond to repeated requests for comment.But USW 1155L, a union representing workers at the factory, took to Facebook to notify employees that the company was still dealing with the cyberattack and did not need people to come in. “Warren hourly teammates who are scheduled to work day shift, March 1st, will not be required to report to work (no hit, no pay, or you have the option to take vacation), the union wrote on Monday. The outages were first announced on Sunday, when the union explained on Facebook that Bridgestone Americas was “investigating a potential information security incident.” The notice appeared to come directly from the company as opposed to the union itself. 

“Since learning of the potential incident in the early morning hours of February 27, we have launched a comprehensive investigation to quickly gather facts while working to ensure the security of our IT systems. Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact, including those at Warren TBR Plant. First shift operations were shut down, so those employees were sent home,” the company explained.”Until we learn more from this investigation, we cannot determine with certainty the scope or nature of any potential incident, but we will continue to work diligently to address any potential issues that may affect our operations, our data, our teammates, and our customers.”On Tuesday evening, the company reiterated that hourly workers scheduled for Wednesday will not be required to report to work.Bridgestone Americas operate dozens facilities across North America, Central America and the Caribbean, with a workforce over 50,000.Local news outlets from across the US reported on outages affecting factories in Iowa, Illinois, North Carolina, South Carolina, Tennessee and in Canada. More

Apple announced that it is pausing all product sales in Russia in light of the country’s decision to invade Ukraine. 

Ukraine Crisis

An Apple spokesperson listed several actions the company is taking in relation to its business in Russia. “We have taken a number of actions in response to the invasion. We have paused all product sales in Russia. Last week, we stopped all exports into our sales channel in the country. Apple Pay and other services have been limited. RT News and Sputnik News are no longer available for download from the App Store outside Russia. And we have disabled both traffic and live incidents in Apple Maps in Ukraine as a safety and precautionary measure for Ukrainian citizens,” an Apple spokesperson told ZDNet.”We are deeply concerned about the Russian invasion of Ukraine and stand with all of the people who are suffering as a result of the violence. We are supporting humanitarian efforts, providing aid for the unfolding refugee crisis, and doing all we can to support our teams in the region. We will continue to evaluate the situation and are in communication with relevant governments on the actions we are taking. We join all those around the world who are calling for peace.”Apple joins several other tech giants in taking drastic steps in response to the news around the Russia-Ukraine conflict. Mykhailo Fedorov, vice prime minister of Ukraine and minister of digital transformation, first announced the news on Telegram, noting that Apple had stopped selling its technology in the official online store in Russia.Early on Tuesday morning, Fedorov also noted that some Ukrainian music companies appealed directly to Apple CEO Tim Cook to ask whether the company would allow Ukrainian music artists to change their album covers.

Joint forces of Ukrainian music industry, @mintsyfra and Slukh media appeal to the @AppleMusic and @Spotify leadership. We ask you to allow our artists change their album covers to draw the attention to the bloody war in Ukraine. Let us engage more Russian sane people! pic.twitter.com/5HeiyU940Q— Mykhailo Fedorov (@FedorovMykhailo) March 1, 2022

“In order to show the truth about the situation in Ukraine, we ask for permission to put this picture (or similar ones) instead of album covers of Ukrainian musicians and artists,” the companies said, sharing a photo of a teal and yellow image with Ukrainian text. “In addition to this, we ask you to block Apple Music accounts of Russian artists who support the war and Putin’s aggressive actions, such as Nikolai Baskov, Leonid Agutin, Prokhor Shalyapin and others. We want peace, clear skies and freedom. We don’t want war.” More

NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday. The microchip company said it first became aware of the incident on February 23 and added that it impacted its IT resources.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement. We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online,” an NVIDIA spokesperson told ZDNet. “Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident. Security is a continuous process that we take very seriously at NVIDIA — and we invest in the protection and quality of our code and products daily.”British newspaper The Telegraph reported that the company had been facing two days of outages last week related to email systems and tools used by developers. Reports later emerged online that South American hacking group LAPSU$ claimed it was behind the attack on NVIDIA. The group claimed to have 1 TB of data that included employee information. 

In screenshots from their Telegram channel, a LAPSU$ member claims NVIDIA put ransomware on their system after the hack.”Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”Emsisoft threat analyst Brett Callow noted that the Telegram channel where these messages were posted is now “temporarily inaccessible.””While hacking back is not common, it has certainly happened before,” Callow said. “Deploying ransomware on the attackers network may prevent them from leaking whatever data they exfiltrated.”Earlier this year, LAPSU$ hacked and extorted Portugal’s largest TV channel and weekly newspaper. Blue Hexagon CTO Saumitra Das said ransomware gangs can now cause brand damage and steal IP without actually deploying the final ransomware payloads.”There is always a tradeoff for the attackers between encrypting data and stealing data because encryption and deletion can trigger alarms at organizations with mature security programs and take away the leverage from the attackers,” Das said.  More

Meta announced on Tuesday that it plans to demote content from Russian state-backed media outlets on Facebook and Instagram as part of a wide range of efforts taken in light of the recent invasion of Ukraine. 

Ukraine Crisis

Former UK deputy prime minister Nick Clegg, who now is in charge of global affairs at Meta, told reporters that Facebook does not want to outright ban any content, instead of hoping to provide context or other information for users.  “I can also confirm we are demoting content from Facebook pages and Instagram accounts from Russian state-controlled media outlets and is making it harder to find across our platforms. We’ve also begun to demote posts with links to Russian state-controlled media websites on Facebook. Over the next few days, we will label these links and provide more information before people share them or click on them to let them know that they lead to state-controlled media websites. We plan on putting similar measures in place on Instagram,” Clegg explained. “At the end of the day, the most powerful antidote to propaganda is not only restricting circulation but circulating the answers to it. And that is why we always want to strike the right balance to allow the flow of counter-speech to continue on our services.”Clegg said that teams at Facebook and Instagram are expanding their fact-checking apparatus and responding to requests from governments about misinformation as well as disinformation. Clegg noted that the Russian government is throttling Facebook and Instagram to make it more difficult for Russian citizens to see certain content. But he also explained that the company is facing pressure from governments across the world to limit the spread of content from Russian state-backed media sources.”We’re a company, not a government, so we’re working closely with governments and responding to their requests to combat disinformation and harmful propaganda. We’ve established an operations center staffed by experts from across the company, including native Russian and Ukrainian speakers who are monitoring the platform around the clock, allowing us to respond to issues in real-time,” Clegg said. “At the request of the government of Ukraine and governments in the European Union, we have restricted access to Russia Today and Sputnik in Ukraine and the EU. We’ve also expanded our third-party fact-checking capacity in Russian and Ukrainian and are providing more context and transparency around the content shared by the Russian state-controlled media outlets, prohibiting ads for Russian state media and demonetizing their accounts.”Russia Today deputy editor-in-chief Anna Belkina slammed the measures, questioning how the actions could be taken without evidence being provided.

The deputy editor in chief of RT, Anna Belkina, has issued a statement as Big Tech and TV providers take action against the Russia-backed outlet. Belkina accuses the “collective ‘establishment’” of being “terrified of a mere presence of any outside voice.” https://t.co/QZXsVvXBhA pic.twitter.com/ukS5c0juxE— Oliver Darcy (@oliverdarcy) March 1, 2022

Meta announced on Monday that it was restricting access to several accounts, including some belonging to Russian state-media organizations, in Ukraine.Clegg also said earlier this week that Meta had introduced new security features to keep people in Ukraine safe, including giving users the tool to lock their Facebook profile in one step, temporarily removing the ability to view and search the friends lists of Facebook accounts in Ukraine, and rolling out notifications for screenshots and activating the disappearing messages feature on Messenger.Twitter is instituting similar measures, including pausing advertisements in Ukraine and Russia “to ensure critical public safety information is elevated and ads don’t detract from it.”Twitch and OnlyFans have reportedly blocked all users from Russia from accessing their accounts, preventing users from withdrawing money earned on their respective platforms amid tougher sanctions being introduced against Russia.  

Social Networking More

Another new form of destructive wiper malware has been identified after it was used in attacks against Ukrainian organisations before and during Russia’s invasion of Ukraine. Researchers at cybesecurity company ESET have detailed malware they’ve named IsaacWiper, which was used in an attack against a Ukrainian government network just before Russia sent troops into Ukraine. A new version of the malware was launched in additional attacks the next day. The discovery of IsaacWiper comes after following the discovery of other destructive malware, HermeticWiper, also being used in cyber attacks against organisations in Ukraine ahead of the invasion. IsaacWiper was used in attacks against a network that was not affected by HermeticWiper. Researchers note that neither IsaacWiper or HermeticWiper have yet been attributed to any known cyber threat group, due to lack of significant code similarities with other samples of malware. It’s also still currently unknown if there are any links between the two pieces of malware. What ESET researchers have identified, are details in IsaacWiper’s code which suggest that despite only being used in attacks from February 24th, it has been available since October – meaning it could’ve been developed months before the attacks against Ukraine and could also have been used in earlier campaigns. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)It’s currently unknown how IsaacWiper is delivered to victim machine, although researchers note that RemCom, a remote access tool, has been deployed at the same time as IsaacWiper malware attacks. It’s also suggested that the attackers are finding a way to move laterally around networks in order to spread malware.  No matter how the malware was spread, it’s suspected that the attackers infiltrated the target networks some time before IsaacWiper was delivered. “ESET researchers assess with high confidence that the affected organisations were compromised well in advance of the wiper’s deployment,” said Jean-Ian Boutin, ESET head of threat research. The nature of the wiper means it’s designed to destroy networks and files, but it’s possible that those behind the attacks didn’t hit all their targets on the first attempt, because on 25 February attackers dropped a new version of IsaacWiper. ESET suggests that the reason behind this might be that the attackers weren’t able to successfully wipe some of the targeted machines and added log messages to understand what happened. In an attempt to defend Ukrainian organisations and networks from offensive cyber attacks, the Ukrainian government is calling for volunteers to aid with cybersecurity.  Cybersecurity agencies around the world have also urged organisations to ensure their networks are protected against potential cyber attacks related to the invasion of Ukraine.  MORE ON CYBERSECURITY More

If one event demonstrated how vulnerable organisations and infrastructure around the world are to software vulnerabilities, it was Log4j.The critical zero-day vulnerability in the Java logging library Apache Log4j enabled attackers to remotely execute code to gain access to devices and networks. And because the open-source software was embedded in a vast array of applications, services and enterprise software tools, it had the potential for widespread and long-term disruption.

No wonder director of US cybersecurity and infrastructure agency CISA Jen Easterly described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”.Security patches were quickly developed and organisations quickly moved to apply them, although the ubiquitous nature of Log4j’s open-source code means there will be software and applications out there which won’t receive the update, especially if nobody realises Log4j was part of the development process.Log4j is just one example of severe security vulnerabilities being uncovered in software that has been used for years – and it came 20 years on from when then-Microsoft boss Bill Gates issued his Trustworthy Computing memo, which urged Microsoft’s developers to produce more secure software after various bugs and security holes were uncovered in its operating systems and products.”Eventually, our software should be so fundamentally secure that customers never even worry about it,” wrote Gates.Two decades on, and while Microsoft Windows is generally regarded as a pretty secure operating system, when used correctly and security updates are applied, even Microsoft can’t escape critical vulnerabilities in the code. And more broadly there is still far too much insecure software around. Software has always shipped with bugs, but software and services have become ever more important to our everyday lives, making the potential impact of security vulnerabilities even more damaging. In many ways, software development hasn’t evolved to face this new reality: products are still rolled out, only for vulnerabilities — sometimes major ones — to be discovered much later. And when it involves a somewhat obscure component like Log4j, organisations might not even be certain if they’re affected or not.”Inherently, the way in which we do software development just lends itself towards bugs and defects,” says Rob Junker, CTO and head of software development teams at Code42, a software security company.”The accelerated pace of work that we live in contradicts most security teams’ best practices”.

Cybersecurity wants to make software secure, a process that needs investment, personnel and time. That often flies in the face of what companies who build software require: they want to make sure the code is functional and to get it out there as soon as possible, especially if new products or features are depending on it. SEE: A winning strategy for cybersecurity (ZDNet special report) The state of security is massively uneven across the industry, with pretty good security at some of the top vendors, but the vast majority — even ones that are very well funded — lacking basic security investments, says Katie Moussouris, CEO of Luta Security.”Unfortunately we we’ve seen an under investment in cybersecurity over the last 20 to 30 years,” she says.What companies need to do is ensure that cybersecurity is baked in from the very start and features as the building blocks of a software development program at every step of the way — that way all the risks and potential risks can be considered and acted upon before they become problems down the line.”If you think about how software is made and deployed and maintained, it’s a whole supply chain. And it starts out with when you’re designing software or you’re thinking about new features,” says Jonathan Knudsen, senior security strategist at Synopsys, a software security firm.”In the design phase, you have to be thinking about security, you have to do threat modelling or architectural risk assessments, so before you write any code you’re just thinking about how it’s going to work, and what it’s going to do — and how it could be attacked,” he added.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Bosses might be reluctant to spend the extra time and resources on ensuring code gets delivered securely, but in the long run, it should be the most effective approach, both in terms of cost and reputation. It’s safer to ensure the code is secure before it’s pushed out, rather than having to deliver a critical update later on, which might not even be applied by users.The problem is that many organisations are so used to a development model where speed is key, and the risks to them of producing poor code are seen as relatively low.

That could mean more hands-on intervention is needed in order to encourage secure code — and penalise those who wilfully ignore security issues.”In other industries where we have such a critical dependence we regulated those industries, but software has remained largely unregulated, so there’s no software liability laws,” says Moussouris.There has been some movement in this area: for example, the UK government has proposed legislation that will require Internet of Things device manufacturers to follow a set of software security rules before the products can be sold.However, government moves at a slower pace than the industry and even if the rules are enforced, there’s already plenty of IoT software out there that wouldn’t meet the requirements. But as organisations and individuals become more aware of cybersecurity issues, it could be the case that the market forces organisations to take software more seriously — leaving software developers who don’t think about security left behind.”Globally we’re getting more aware about software security, and so I think this is going to translate into buyers asking tougher questions from their builders,” says Knudson.It’s, therefore, vital for software developers, their customers and even society as a whole, that software security is taken seriously. Perhaps ‘move fast and fix things’ could be a new motto for developers to aspire to.MORE ON CYBERSECURITY More

A healthcare provider fell victim to two simultaneous cyber attacks by two separate ransomware gangs using different techniques to exploit unpatched security vulnerabilities in Microsoft Exchange Server at the same time, which even led to the second ransomware attack encrypting the ransom note left by the first. Detailed by cybersecurity researchers at Sophos, the cyber attacks against the undisclosed Canadian healthcare provider took place in early December 2021, although the investigation into the attacks revealed that the first intrusion into the network took place months beforehand in August. It’s likely that this first compromise was by an initial access broker, a cyber criminal who looks for vulnerabilities in networks, compromises them and sells access to others on underground forums. While both campaigns exploited ProxyShell vulnerabilities on Microsoft’s Exchange platform (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), the two ransomware gangs went about it in different ways. The first ransomware group to reveal their attack, identified as Karma, accessed the network on November 30, connecting with an administrator account from a compromised workstation over Remote Desktop Protocol (RDP) functions. Then they used penetration testing tool Cobalt Strike and PowerShell beacons to help gain additional access to the compromised network. The Karma attackers also accessed the vulnerable server by RDP, in order to steal over 52GB of data before dropping a ransom note on over 20 computers on December 3. The cyber criminals noted they didn’t encrypt the machines because the victim was a healthcare organisation, but they demanded a ransom payment for the return of the stolen data.  SEE: Cybersecurity: Let’s get tactical (ZDNet special report)But while this was happening, the network was already compromised by a separate and unrelated cyber attack by Conti, one of the most notorious ransomware gangs, responsible for a string of high-profile attacks. Conti actually gained access to the network before Karma, dropping a ProxyShell exploit to gain access to the same server on November 25. The next stage followed on December 1 when an attacker used a hacked local administrator account to download and install Cobalt Strike beacons and execute PowerShell for lateral movement around the network and collecting data. The Conti attackers also exploited compromised RDP credentials in the next stage of the attack, to upload all the data stolen from the servers. Like Karma, this amounted to 52GB of files, which were uploaded to cloud storage. It’s after the data was stolen that the Conti ransomware payload was dropped from compromised servers, encrypting the healthcare organisation’s data a second time – including the earlier ransom notes left by Karma.  “To be hit by a dual ransomware attack is a nightmare scenario for any organisation. Across the estimated timeline there was a period of around four days when the Conti and Karma attackers were simultaneously active in the target’s network, moving around each other,” said Sean Gallagher, senior threat researcher at Sophos. Researchers haven’t publicly detailed how the ransomware attacks were resolved, but both Karma and Conti exploited vulnerabilities in Microsoft Exchange which emerged months ahead of the initial network compromise. If the organisation had been able to apply the relevant security updates in a more urgent manner, cyber criminals wouldn’t have been able to exploit Microsoft Exchange as an attack vector in the first place. Despite network monitoring and some malware protection in place, both sets of attackers were able to operate inside the network without being detected, a reminder that information security teams should be on the lookout for potentially suspicious behavior to help prevent fully fledged cyber incidents. “Defense-in-depth is vital for identifying and blocking attackers at any stage of the attack chain, while proactive, human-led threat hunting should investigate all potentially suspicious behavior, such as unexpected remote access service logins or the use of legitimate tools outside the normal pattern, as these could be early warning signs of an imminent ransomware attack,” said Gallagher. MORE ON CYBERSECURITY More

Ukraine has created what is describes as an “IT army” to defend against Russian hackers and to launch counter operations against cyber threats.Russia’s invasion of Ukraine has been accompanied by cyberattacks targeting the country’s services and infrastructure, including DDoS attacks and destructive wiper malware campaigns – leading to the Ukrainian government calling for volunteers to aid with cybersecurity. But it has also asked for support in conducting offensive cyber operations back at Russia.

ZDNet Recommends

“We are creating an IT army,” Mykhailo Fedorov, vice prime minister of Ukraine said in a tweet at the weekend. “There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists,” he added, alongside a Telegram link to join the ‘IT Army of Ukraine’, which now has tens of thousands of subscribers.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)In addition to helping to protect Ukrainian critical infrastructure and services from attacks, supporters were provided with a list of websites of 31 Russian targets. They include organisations in both the state-backed and private sectors, including government agencies, banks, critical infrastructure and energy providers, including Gazprom and Lukoil, as well Russian email provider and search engine, Yandex. The list of targets is also being circulated in some underground forums.This IT army is just one of the online efforts taking place during the conflict; hacktivist collective Anonymous has said it is taking action in support of Ukraine and against Russia, while Russia-based cyber-criminal groups have also indicated that they’ll take offensive action in support of Vladimir Putin’s invasion.This includes the ransomware group Conti, which announced “full support of Russian government” and the intention to “strike back at the critical infrastructure of an enemy” in response to cyberattacks against Russia. A later statement by Conti claimed it doesn’t support any government, but it will strike back against the West and “American cyber aggression”. Conti has since seen many of its internal documents leaked in what appears to be another act of retaliation. Meanwhile, the BBC has also reported how Russian hackers – without direct orders from the state – are also attempting to hack Ukrainian websites and services.According to analysis by Check Point, there’s a 196% increase in cyberattacks targeting Ukraine’s government and military since Russia sent troops in last week. It’s likely that cyberattacks will continue in both directions, particularly as more and more people join Ukraine’s cyber army.”We’re now witnessing a concentrated attack to take down major websites and services in Russia and other surrounding countries, much like a community-driven effort. They have to deal with waves of DDoS attacks that are likely to worsen as time goes by,” says Silviu Stahie, a security analyst at Bitdefender.It’s much too early to understand the impact of any of these developments. Something on the scale of Ukraine’s IT army has never been tried before, so it’s hard to know what kind of impact it will have, although it may play an important part simply in rallying support in broader terms. 

Ukraine Crisis

There’s also the concern that civilians launching their own hacking attempts could have unexpected consequences. And the rise of offensive cyberattacks carried out by civilians raises a whole host of new questions – particularly as, in many countries, engaging in hacking is illegal.”Conducting or participating in cyberattacks, even in what could be considered a noble effort to support Ukraine against the Russian aggression and invasion, could be subject to how different countries interpret hacking laws,” says Jens Monrad, head of threat intelligence, EMEA, at Mandiant.”Another risk associated with this operation is how well each individual can protect themselves and how Russia might perceive it if they identify a foreign person suddenly hacking Russian targets,” says Monrad.SEE: A winning strategy for cybersecurity (ZDNet special report)There’s also the risk that cyberattacks, intentionally or not, could cause disruption outside Ukraine and Russia. As UK National Cyber Security Centre (NCSC) CEO Lindy Cameron commented recently: “Cyberattacks do not respect geographic boundaries”. International consensus also suggests the Russian military was behind the widespread and disruptive NotPetya malware attack of June 2017. The malware attack was designed to disrupt financial, energy and government sectors in Ukraine, but the malware spread to organisations around the world, costing an estimated billions of dollars in damages.”As a combat veteran, I’m in total awe of the courage of the Ukrainian people. While there are no specific threats to the US, we must be prepared for spillover effects of Russian cyber ops or an uptick in ransomware,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said on Twitter.CISA, along with the UK’s NCSC, are among those cybersecurity agencies that have published advice on defending against cyber threats. In this environment, organisations around the world would be wise to examine their cybersecurity defences – because what comes next could be unpredictable. MORE ON CYBERSECURITY More