Information Technology

As cloud rises to encompass to more corporate applications, data and processes, there’s potential for end-users to outsource their security to providers as well. 

The need to take control of security and not turn ultimate responsibility over to cloud providers is taking hold among many enterprises, an industry survey suggests. The Cloud Security Alliance, which released its survey of 241 industry experts, identified an “Egregious 11” cloud security issues.  The survey’s authors point out that many of this year’s most pressing issues put the onus of security on end user companies, versus relying on service providers. “We noticed a drop in ranking of traditional cloud security issues under the responsibility of cloud service providers. Concerns such as denial of service, shared technology vulnerabilities, and CSP data loss and system vulnerabilities — which all featured in the previous ‘Treacherous 12’ —  were now rated so low they have been excluded in this report. These omissions suggest that traditional security issues under the responsibility of the CSP seem to be less of a concern. Instead, we’re seeing more of a need to address security issues that are situated higher up the technology stack that are the result of senior management decisions.”  This aligns with another recent survey from Forbes Insights and VMware, which finds that proactive companies are resisting the temptation to turn security over to their cloud providers — only 31% of leaders report turning over many security measures to cloud providers. (I helped design and author the survey report.) Still, 94% are employing cloud services for some aspects of security.   The latest CSA report highlights this year’s leading concerns:  1. Data breaches. “Data is becoming the main target of cyber attacks,”.the report’s authors point out. “Defining the business value of data and the impact of its loss is essential important for organizations that own or process data.” In addition, “protecting data is evolving into a question of who has access to it,” they add. “Encryption techniques can help protect data, but negatively impacts system performance while making applications less user-friendly.”  2. Misconfiguration and inadequate change control. “Cloud-based resources are highly complex and dynamic, making them challenging to configure. Traditional controls and change management approaches are not effective in the cloud.” The authors state “companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real time.” 3. Lack of cloud security architecture and strategy. “Ensure security architecture aligns with business goals and objectives. Develop and implement a security architecture framework.” 4. Insufficient identity, credential, access and key management. “Secure accounts, inclusive to two-factor authentication and limited use of root accounts. Practice the strictest identity and access controls for cloud users and identities.” 5. Account hijacking. This is a threat that must be taken seriously. “Defense-in-depth and IAM controls are key in mitigating account hijacking.” 6. Insider threat. “Taking measures to minimize insider negligence can help mitigate the consequences of insider threats. Provide training to your security teams to properly install, configure, and monitor your computer systems, networks, mobile devices, and backup devices.” The CSA authors also urge “regular employee training awareness. Provide training to your regular employees to inform them how to handle security risks, such as phishing and protecting corporate data they carry outside the company on laptops and mobile devices.” 7. Insecure interfaces and APIs. “Practice good API hygiene. Good practice includes diligent oversight of items such as inventory, testing, auditing, and abnormal activity protections.” Also, “consider using standard and open API frameworks (e.g., Open Cloud Computing Interface (OCCI) and Cloud Infrastructure Management Interface (CIMI)).” 8. Weak control plane. “The cloud customer should perform due diligence and determine if the cloud service they intend to use possesses an adequate control plane.”9. Metastructure and applistructure failures. “Cloud service providers must offer visibility and expose mitigations to counteract the cloud’s inherent lack of transparency for tenants. All CSPs should conduct penetration testing and provide findings to customers.” 10. Limited cloud usage visibility. “Mitigating risks starts with the development of a complete cloud visibility effort from the top down. Mandate companywide training on accepted cloud usage policies and enforcement thereof.  All non-approved cloud services must be reviewed and approved by the cloud security architect or third-party risk management.” 11. Abuse and nefarious use of cloud services. “Enterprises should monitor their employees in the cloud, as traditional mechanisms are unable to mitigate the risks posed by cloud service usage.” More

Google detailed a series of measures it’s taking to help those impacted by the ongoing Russian invasion of Ukraine deal with associated cyber threats and privacy risks. 

Ukraine Crisis

In a lengthy Twitter thread, Google Europe ran through a list of measures it’s taking to automatically safeguard accounts, as well as measures users themselves can take to increase their privacy and security through freely available account features. First, the company made it clear that it is actively attempting to “look out for and disrupt disinfo campaigns, hacking, and financially motivated abuse” surrounding the conflict. This effort includes collaborations with other companies and “relevant government bodies” to address rising threats. On an individual level, Google has automatically increased account security protections for people in the regions affected by the conflict. This includes measures like enabling two-factor authentication (2FA) for users that didn’t already have it activated and promoting the use of its Advanced Protection Program. The Advanced Protection Program offers extra safeguards for individuals that believe they may have higher-than-normal risks of being targeted by bad actors. The obvious correlation here would be any Ukrainian government officials, journalists, and anyone else that may be targeted by nationally sponsored or freelance hackers. For users in the conflict zone, as well as those browsing information about it, Google has enabled Safe Browsing mode by default, this will identify known phishing and malware insertion attempts from around the web for users on any of its Chrome browsers or branded sites and services. Users wishing additional protection against malicious downloads can also access Google’s free VirusTotal service, which analyzes files for suspicious data or URLs, including the recently discovered wiper malware already known to be targeting individuals in Ukraine and Latvia. Lastly, the company details a series of ongoing efforts to combat misinformation and propaganda campaigns, including tweaking YouTube to surface “videos from trusted news sources,” and removing “hundreds of channels & thousands of videos” that provided “violative misinformation.” Similarly, all ads attempting to exploit the crisis will be blocked. However, Google is simultaneously donating $2 million worth of ad space to humanitarian organizations to help “connect people on the ground searching for resources with information.” 

ZDNet Recommends More

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI released new guidance on the WhisperGate and HermeticWiper malware strains in a joint advisory this weekend. The government agencies warned US organizations and companies to look out for WhisperGate and HermeticWiper after they were seen being used against organizations in Ukraine in the run-up to Russia’s invasion of the country. Both CISA and the FBI reiterated that there is no specific threat against US organizations. “In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the US,” said CISA Director Jen Easterly. “Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk.”  CISA urged US organizations to take measures to protect themselves by enabling multifactor authentication, deploying antivirus and antimalware programs, enabling spam filters, updating all software and filtering network traffic. The joint Advisory, “Destructive Malware Targeting Organizations in Ukraine,” comes as CISA expanded its Shields Up webpage to include new services and resources, recommendations for corporate leaders and actions to protect critical assets.   CISA has also created a new Shields Up Technical Guidance webpage that provides more details on other cyberattacks facing Ukraine and technical resources to deal with threats. “The FBI alongside our federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident.” Dozens of systems within at least two Ukrainian government agencies were wiped during a cyberattack using WhisperGate in January. Microsoft released a detailed blog about WhisperGate and said it was first discovered on January 13. Multiple security companies have released guidance and examinations of the malware since it emerged. In a follow-up examination of WhisperGate, security company CrowdStrike said the malware aims “to irrevocably corrupt the infected hosts’ data and attempt to masquerade as genuine modern ransomware operations.” “However, the WhisperGate bootloader has no decryption or data-recovery mechanism and has inconsistencies with malware commonly deployed in ransomware operations,” CrowdStrike explained.”The activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations.”Kitsoft, the company that built about 50 of Ukraine’s government websites, said that it discovered WhisperGate malware on its systems too.  More

The Computer Emergency Response Team for Ukraine (CERT-UA) has warned of ongoing phishing and Ghostwriter activities attacking organizations in the country. 

Ukraine Crisis

On February 26, CERT-UA said it continues to track the movements of UNC1151/Ghostwriter, which is currently attacking targets in Ukraine, Poland, Belarus, and Russia. Ghostwriter is believed to be of Belarusian origin. According to the security agency, its members are officers of the Ministry of Defence of the Republic of Belarus.  Cybersecurity firm Mandiant has been tracking campaigns supported by UNC1151. In particular, the company says that “technical support” is provided to Ghostwriter campaigns and the Belarus government has been accused of being at least “partially responsible” for the activities of these cyberattackers.  The European Council has previously accused Russia of having a part to play in Ghostwriter campaigns.  Ghostwriter is said to align with Belarus state interests. Past activities have included promoting anti-NATO material through misinformation networks, spoofing, and website hijacking, as well as targeting Belarusian media outlets and individuals prior to the 2020 election.  “Ghostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian state television as fact,” Mandiant says.  According to CERT-UA, Ghostwriter cyberattacks have been recorded against the World Association of Belarusians, Belarusian Music Festival, literature and arts magazine Dziejaslou, Belarusian newspaper Sovetskaya Belorussiya, employees of the National Academy of Sciences of Belarus, and the Voice of Motherland newspaper.  In addition, the agency warns that passport[.]command-email.online is an active phishing domain being used by the threat group. CERT-UA has been publishing frequent threat intelligence since the start of the Russia-Ukraine conflict. CERT-UA has also warned of mass phishing emails being sent by UNC1151 to “Ukrainian military personnel and related individuals” using email accounts with ‘i.ua’ and ‘meta.ua’ addresses.  A sample phishing message is below: “Dear user! Your contact information or not you are a spam bot. Please, click the link below and verify your contact information. Otherwise, your account will be irretrievably deleted. Thank you for your understanding. Regards, I.UA Team.” On Monday, the National Security and Defense Council of Ukraine (NSDC/RNBO) also reported calls and phishing attempts made to obtain information from targets by pretending to be the post office of the Security Service of Ukraine (SBU).  The Cyber Police Department of the National Police of Ukraine reports that fake phishing emails are also being sent that are masked as evacuation notices. In related news, hacktivist collective Anonymous says it has become involved in the conflict, claiming that it is responsible for the defacement of Russian government websites and a takedown of the state news outlet RT. RT and other state-funded media organizations have since been banned from generating revenue through ads by Google’s search and YouTube units.  On February 28, the TASS Russian news outlet appeared to suffer from a cyberattack and visitors were temporarily unable to access the website. Anonymous, or someone claiming to be part of the collective, claimed responsibility.  Meta, formerly known as Facebook, has restricted access to some accounts owned by Russian state media organizations. Meta’s Head of Security Policy Nathaniel Gleicher and Director of Threat Disruption David Agranovich said on February 27 that a network operated by people in Russia — and Ukraine — was targeting Ukraine with fake news and propaganda.  According to the firm, there has also been “increased targeting” of the Ukrainian military and public figures by Ghostwriter.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has warned Windows 10 and Windows 11 users that files might not be deleted after resetting the device using the “Remove everything” option. The issue stems from Microsoft’s OneDrive cloud file service and could mean files that were synced locally remain on a computer after a local or remote reset, which admins might do before handing the device to a new owner.  

ZDNet Recommends

This issue can occur when attempting a manual reset from Windows or a remote reset from Intune or other mobile device management platforms, Microsoft warns.SEE: Best Windows laptop: Top notebooks compared”When attempting to reset a Windows device with apps which have folders with reparse data, such as OneDrive or OneDrive for Business, files which have been downloaded or synced locally from OneDrive might not be deleted when selecting the “Remove everything” option,” Microsoft says in an update to its known issues for Windows 11 21H2.  “OneDrive files which are “cloud only” or have not been downloaded or opened on the device are not affected and will not persist, as the files are not downloaded or synced locally.”Microsoft notes that some device manufacturers and some documentation might call the feature to reset a device, “Push Button Reset”, “PBR”, “Reset This PC”, “Reset PC”, or “Fresh Start”.Via BleepingComputer, the issue was discovered by Microsoft MVP Rudy Ooms, who found that user data was still readable in the “Windows.old” folder after completing a remote or local wipe of a Windows 10 device. Ooms details his findings in a blog post, including that data encrypted with Bitlocker is moved in clear form to the Windows.old folder after a Windows reset.Windows.old is a folder containing the previous version of Windows on a device. The issue affects Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; and Windows 10, version 20H2, according to Microsoft.  The company is working on a fix for an upcoming release but in the mean time it does have a workaround for the file-persisting issue.  Admins can prevent the issue by by signing out or unlinking OneDrive before resetting a Windows device. Microsoft provides instructions to do this in the “Unlink OneDrive” section in the support page, Turn off, disable, or uninstall OneDrive.Users can also mitigate the issue on devices that have been reset by using the Windows feature Storage Sense in the Settings app. Storage Sense can be used to delete the Windows.old folder. Microsoft provides instructions for doing that in the support page KB5012334.  More

Australia’s national intelligence agencies have dismissed concerns surrounding laws currently before Parliament that would provide them with expanded data-gathering powers in circumstances where an Australian person’s safety is in imminent risk. The Bill in question, if passed, would enable national intelligence agencies to undertake activities to produce intelligence where there is, or is likely to be, an imminent risk to the safety of an Australian person, such as from terrorist attacks or kidnappings. It would also allow these agencies to seek ministerial authorisation to produce intelligence on Australians involved with a listed terrorist organisation rather than having to obtain multiple, concurrent authorisations to produce intelligence on individual Australian persons who are suspected of being involved with a listed terrorist organisation. Opposition of the Bill has primarily come from the Law Council of Australia (LCA), which told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) it was unsure whether the expanded powers would be proportionate to their operational objectives. In a submission to the PJCIS, which is responsible for scrutinising Australia’s intelligence powers, the LCA said there are no safeguards to prevent agency heads from using its intelligence-gathering powers on an Australian in situations where they are not in imminent risk. “There is no requirement that the agency head must also assess the nature and degree of the imminent risk to the person’s safety, and be satisfied that it is sufficiently serious as to warrant the exercise of powers in the absence of a ministerial authorisation,” LCA wrote in its submission to the committee. “For example, there is no requirement to be satisfied that there is a risk of death or serious harm to the person.” The LCA added it was also concerned about expanding the influence of a single ministerial authorisation so it can enable intelligence-gathering of entire terrorist organisations due to the broad nature of such an authorisation. The council specifically noted the lack of an exhaustive list for what is deemed to be “involvement with a listed terrorist organisation”. “The Law Council notes that the concept of a person’s ‘involvement with’ a listed terrorist organisation has the potential to be extremely broad, covering both direct and indirect forms of engagement,” it said. “The Law Council suggests that consideration is given to placing more precise statutory parameters on the concept of ‘involvement with’ a listed terrorist organisation.” In response to these concerns, representatives from the Department of Home Affairs, Australian Security Intelligence Organisation, Australian Signals Directorate (ASD), and the Office of National Intelligence said these expanded powers would only be used in “niche circumstances”. “In an operational sense, when we kind of try to apply these new provisions to real-world situations what we’re trying to do is save minutes and possibly hours in operational circumstances where an Australian person has been kidnapped overseas,” ASD Director-General Rachel Noble said, when explaining the “imminent risk” powers. Noble said waiting for ministerial authorisations is not always possible in “imminent risk” situations as overseas kidnappings and mass casualty events can often occur in the middle of the night. Addressing the LCA’s concern regarding ministerial authorisations potentially being too broad for gathering intelligence on listed terrorist organisations, a Home Affairs representative said the authorisations would only be used by intelligence agencies to investigate members of the class that directly participate in listed terrorist organisations. Home Affairs electronic surveillance assistant secretary Paul Pfitzner said authorisations for agencies to perform intelligence activities on a listed terrorist organisation would only allow them to investigate individuals who recruit others, provide and receive training, provide financial or other forms of support, and advocate on behalf of the organisation. “We don’t want to pretend that we’ll necessarily be able to capture every scenario, situation, or circumstance that might arise in the course of an intelligence agency undertaking their work and finding how people may or may not be involved with a particular terrorist organisation,” Home Affairs electronic surveillance first assistant secretary Andrew Warnes added. In terms of accountability, Pfitzner said all intelligence agencies who collect data about terrorist organisation individuals through ministerial authorisations would have to keep a list of these identified individuals and provide reasons why they are classified as being part of those organisations.  Related Coverage More

Meta, formerly Facebook, has announced it has restricted access to several accounts, including some belonging to Russian state-media organisations, in Ukraine. “We have been in contact with the government of Ukraine. At their request, we have restricted access to several accounts in Ukraine, including those belonging to some Russian state media organisations,” Meta VP global affairs Nick Clegg wrote in a tweet.

Ukraine Crisis

“We are also reviewing other government requests to restrict Russian state-controlled media.” The steps taken by the social media giant are in response to Russia’s invasion of Ukraine, which began four days ago. Meta added it has also established a special operations centre staffed by “experts” from across the company, including native Russian and Ukrainian speakers, to monitor its platform and respond to misinformation issues in real time. “We have teams of native Russian and Ukrainian content reviewers to help us review potentially violating content. We’re also using technology to help us scale the work of our content review teams and to prioritise what content those teams should be spending their time on, so we can take down more violating content before it goes viral,” Meta said. Additionally, the company outlined it has introduced new security features to keep people in Ukraine safe. These include giving users the tool to lock their Facebook profile in one step, temporarily removing the ability to view and search the friends lists of Facebook accounts in Ukraine, and rolling out notifications for screenshots and activating the disappearing messages feature on Messenger. “View once media” has also been enabled on WhatsApp to allow users to send photos or videos that can vanish after being seen, as well as “disappearing mode” to automatically erase all new chats after 24 hours. Russian-state media have also been blocked from advertising and making money on its platform, the company said. “Our thoughts are with everyone affected by the war in Ukraine. We are taking extensive steps across our apps to help ensure the safety of our community and support the people who use our services — both in Ukraine and around the world,” Meta wrote in a post. Clegg also wrote on Twitter that Ukrainians have suggested that Meta remove access to Facebook and Instagram in Russia. However, he said: “People in Russia are using FB and IG to protest and organise against the war and as a source of independent information”.”The Russian government is already throttling our platform to prevent these activities. We believe turning off our services would silence important expression at a crucial time,” he said. Twitter said it has also taken similar steps, including pausing advertisements in Ukraine and Russia “to ensure critical public safety information is elevated and ads don’t detract from it”. Meanwhile, Twitch and OnlyFans have reportedly blocked all users from Russia from accessing their accounts, preventing users from being able to withdraw money earned on their respective platforms, amid tougher sanctions being introduced against Russia.  Related Coverage More

Singapore has issued an advisory note highlighting the need for local organisations to bolster their cyberdefence amidst the ongoing conflict between Ukraine and Russia. In particular, businesses should be on the lookout for possible ransomware attacks as such tactics are commonly used by threat actors. There were no immediate reports of any threats to local businesses related to the Ukraine conflict, but organisations here were urged to take “active steps” to beef up their cybersecurity posture, according to Cyber Security Agency of Singapore (CSA). The government agency noted that cyber attacks on Ukraine and developments in the conflict had fuelled warnings of increased cyber threats across the globe. Organisations in Singapore should increase their vigilance and strengthen their cyberdefences to safeguard against potential attacks, such as web defacement, distributed denial of service (DDoS), and ransomware. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

In an advisory note issued Sunday, Singapore Computer Emergency Response Team (SingCERT) pointed to the need to keep watch for ransomware attacks, which were one of the most common attacks launched by threat actors. “Falling victim to such attacks will adversely impact the operations and business continuity of any organisation,” said SingCERT, which sits within CSA. It said Singapore businesses should carry out necessary steps to secure their networks and review system logs to swiftly identify potential intrusions. These should include ensuring systems and applications were patched and updated to the latest version, disabling ports that were not essential for business purposes, and adopting strong access controls when using cloud services. In addition, system events should be properly logged to facilitate investigation of suspicious issues while both inbound and outbound network traffic should be monitored for suspicious communications or data transmissions, SingCERT said. It added that organisations also should have in place incident response and business continuity plans. Any suspicious compromise of corporate networks or evidence of such incidents should be reported to SingCERT. Australian Cyber Security Centre (ACSC) this past week also issued an advisory note urging local organisations to adopt an “enhanced cybersecurity position” and boost their cybersecurity resilience in light of the heightened threat landscape. “There has been a historical pattern of cyber attacks against Ukraine that have had international consequences,” it said. “Malicious cyber activity could impact Australian organisations through unintended disruption or uncontained malicious cyber activities. While the ACSC is not aware of any current or specific threats to Australian organisations, adopting an enhanced cybersecurity posture and increased monitoring for threats will help to reduce the impacts to Australian organisations.”Also stressing the need for vigilance to ransomware attacks, the Australian agency advised local businesses to review and enhance detection, mitigation, and response measures. They should, amongst others, ensure logging and detection systems in their environment were fully updated and functioning and apply additional monitoring of their networks where required.The Ukraine government reportedly had sought volunteers from the nation’s hacker community to protect critical infrastructure and run cyber spying missions against Russia. Citing sources involved in the call to action, a Reuters report said requests for volunteers popped up on hacker forums on Thursday. RELATED COVERAGE More