Information Technology

Researchers have uncovered a new form of wiper malware being used in assaults against Ukrainian organizations. 

Ukraine Crisis

On March 14, ESET published a Twitter thread documenting the malware, dubbed CaddyWiper, that was compiled on the same day it was deployed to target networks. The wiper — the third discovered in as many weeks by the cybersecurity firm — has been detected “on a few dozen systems in a limited number of organizations,” according to ESET. CaddyWiper is wiper malware, malicious code specifically designed to damage target systems by erasing user data, programs, hard drives, and in some cases, partition information.  Unlike ransomware, Trojans, and other common malware variants, wipers are not focused on theft or financial gain — but rather, they erase everything in their path for purely destructive purposes.  The new wiper follows this pattern by wiping out user data and partition information. However, ESET says that CaddyWiper does avoid erasing information on domain controllers.  “This is probably a way for the attackers to keep their access inside the organization while still disturbing operations,” the team said.  In cases detected so far, CaddyWiper has been spread through Microsoft Group Policy Objects (GPOs), and in one example, a network’s default GPO was abused to spread the malware — and this suggests that the attackers had already obtained access to Active Directory services prior to the deployment of CaddyWiper. ESET noted that CaddyWiper does not share any “significant” code similarities with HermeticWiper or IsaacWiper, however, two other wiper strains found by the firm in recent weeks.  HermeticWiper has impacted hundreds of machines belonging to Ukrainian organizations and abuses drivers for its data-destroying activities. IsaacWiper, found in a Ukrainian government network, also contains worm-like capabilities and ransomware features.  The Computer Emergency Response Team for Ukraine (CERT-UA) has requested that organizations in the country suspecting CaddyWiper infiltration report such incidents.  Microsoft first warned of the use of wiper malware against Ukraine in January, prior to Russia’s invasion. The country has also experienced a Distributed Denial-of-Service (DDoS) attack, launched against government services and banks, leading to calls for a volunteer “IT army” to protect Ukraine’s critical infrastructure.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybersecurity is on the agenda in boardrooms across Asean, where business leaders discuss plans to plug existing gaps and adopt next-generation capabilities. This focus is necessary as 94% of organisations in the region report a climb in cyberattacks last year, with 24% seeing at least 50% increase in disruptive attacks. The majority, topping 92%, believe cybersecurity was a priority for their business leaders today amidst the ongoing global pandemic, according to a survey by Palo Alto Networks. Conducted in November 2021, the online study polled 500 respondents across five Asean markets, comprising 100 each from Singapore, Indonesia, Malaysia, Thailand, and the Philippines. The IT decision makers and business leaders were from five verticals: financial services, government, retail, telecommunications, and fintech.

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

Some 74% pointed to an increase in focus on cybersecurity within their leadership team, with 46% discussing such issues at the board level every quarter and another 38% doing so every month. With the heightened focus, 68% revealed plans to boost their cybersecurity budgets this year. Some 48% said this was fuelled by the adoption of next-generation security technologies, while 46% pointed to the need to plug existing cybersecurity gaps. Another 44% cited the aim to optimise operations. In particular, hybrid and remote work arrangements had underscored emphasis on personal safety, as 57% of Asean organisations looked to expand their remote workforce and another 57% would widen their network of smart devices. Some 58% also were increasing their investment in mobile apps, as businesses looked to drive their digital transformation, the Palo Alto report noted.Such initiatives had pushed 90% of respondents to evolve their cybersecurity strategy to remain secured. Specifically, 54% pointed to cloud security as the top security measure post-pandemic. Another 46% deployed Internet of Things (IoT) as well as operational technology (OT) security measures, while 45% focused on access management. Furthermore, with 54% reporting a climb in digital transactions with suppliers and third-party providers, 54% cited the need to adopt cybersecurity products and services to safeguard against cyber threats. Another 51% underscored the importance of protecting themselves against unmonitored and unsecured IoT devices connected to the corporate network. Across the region, 45% from the financial services sector and 42% from fintechs saw themselves as most at risk of cyber attacks, with malware attacks topping their concerns. These two market segments, though, were most confident of cybersecurity measures they had put in place to safeguard against attacks. Some 79% from financial services and 76% of fintechs reported a strong focus on cybersecurity amongst their business leaders, slightly above the regional average of 74%. In addition, 81% of financial services companies and 75% of fintechs reported an increase in their cybersecurity budgets, compared to the regional average of 68%.Almost all respondents across the board, at 96%, had a dedicated in-house IT team for managing cyber risks. Palo Alto Networks’ field chief security officer Ian Lim said: “The pandemic has served as a catalyst for Asean business leaders to sit up and pay greater attention to their cybersecurity defence measures, [with] many recognising the deep impact it can have on their business continuity. To manage today’s remote workforce in a digital-first environment, cybersecurity must be integrated horizontally across all facets of the business and considered as part of every corporate action.”RELATED COVERAGE More

Image: Getty Images
The UK Supreme Court has refused to hear WikiLeaks founder Julian Assange’s appeal against his extradition to the US. The request for an appeal was denied as Assange’s application did not raise “an arguable point of law”, according to a court spokesperson. The 50-year-old Wikileaks founder has been wanted in the US since the early 2010s for his role in publishing thousands of classified documents on the WikiLeaks website. Assange faces an 18-count indictment from the US government that accuses him of conspiring with former US Army intelligence analyst Chelsea Manning to hack into US military databases to acquire sensitive secret information and publishing the unredacted names of sources in Iraq and Afghanistan that provided information to the US. According to the indictment, Assange’s actions risked serious harm to US national security and put those sources at a grave and imminent risk of serious physical harm. The UK High Court approved the extradition to the US at the end of last year. That decision overruled an earlier ruling made at the start of 2021 at a UK district court, which denied the US request based on the court’s perception that it posed too great a risk to Assange’s wellbeing. UK Home Secretary Priti Patel is now expected to make a final decision on whether the extradition will go ahead, WikiLeaks said. If Patel approves the extradition, Assange will be able to issue one last challenge against the extradition as no appeal to the High Court has been filed as yet. Assange is currently held in UK prison as he fights the extradition case. Prior to this, he sought asylum at Ecuador’s embassy in London for almost 10 years until he was arrested in 2019, when his asylum was withdrawn. Related Coverage More

Whenever I’m asked for things that are a must-have, a YubiKey is on the top of my list no matter what platform or operating system people are using — Windows, Mac, or Linux, Android or iOS. It doesn’t matter. Everyone needs a YubiKey. A hardware authentication device made by Yubico, it’s used to secure access to online accounts, computers, and networks. The

YubiKey 5 Series

look like small USB flash drives and come in a range of different connectors — USB-A, USB-C, and USB-C and Lightning combo. There are versions that also include support for NFC. It offers two-factor authentication (also known as multi-factor authentication or two-step verification) for hundreds of online services, from Facebook, Google, and Twitter, to more specific services such as Coinbase, Salesforce, and Login.gov. Your YubiKey can also be used to secure password storage services such as

Bitwarden

,

Password Safe

, and

LastPass

. The YubiKey 5 Series keys support a broad range of protocols, such as FIDO2/WebAuthn, U2F, Smart card, OpenPGP, and OTP. Having a YubiKey removes the need, in many cases, to use SMS for two-factor authentication — a method that has been shown to be insecure. If your online accounts are keeping something that you can’t afford to lose, a Yubikey makes perfect sense. I’ve been using YubiKeys for years now, and they have been flawless and foolproof. While one YubiKey is enough to get started with, I have several. Not only does this give me a backup in case I lose one (I haven’t yet!), but if I pick a couple with different connectors (say the USB-C/Lightning and a USB-A with NFC), this gives me the flexibility to log into accounts across a range of devices.

USB-A and NFC support

This YubiKey features a USB-A connector and NFC compatibility. Like all YubiKeys, this one is water and crush resistant.USB type: USB-AFeatures: WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static PasswordCertification: FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) CertifiedPassword manager support: 1Password, Keeper, LastPass Premium, Bitwarden PremiumPros:USB-A and NFC offers broad supportLow costCons:No USB-C support

USB-C and NFC support

This YubiKey features a USB-C connector and NFC compatibility.USB type: USB-CFeatures: WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static PasswordCertification: FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) CertifiedPassword manager support: 1Password, Keeper, LastPass Premium, Bitwarden PremiumPros:USB-C and NFC offers broad supportLow costCons:No USB-A support

USB-C and Lightning support

This YubiKey features a USB-C connector and a Lightning connector for the iPhone.USB type: USB-C and LightningFeatures: WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static PasswordCertification: FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) CertifiedPassword manager support: 1Password, Keeper, LastPass Premium, Bitwarden PremiumPros:USB-C and Lightning offers broad supportCons:No USB-A support

USB-A and NFC support and FIDO certified

A cheaper version of the YubiKey, this one is FIDO certified and works with Google Chrome and any FIDO-compliant application on Windows, macOS, or Linux. Use this to secure your login and protect your Gmail, Dropbox, Outlook, Dashlane, 1Password, accounts, and more.Note that this YubiKey is not compatible with LastPass, which requires a YubiKey 5. Always check for compatibility with the services you want to use before buying.USB type: USB-AFeatures: WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F)Certification: FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) CertifiedPassword manager support: 1Password, Keeper, Bitwarden PremiumPros:USB-A and NFC offers broad supportVery low costCons:No USB-C support

What is a YubiKey?

A YubiKey is the ultimate line of defense against having your online accounts taken over. And with prices starting at $25, it’s one of those indispensable gadgets for the 21st century.

What’s the main difference between the YubiKey 5 series and the YubiKey FIDO?

The YubiKey FIDO key supports far fewer protocols and services, and is more aimed at the home users, hence the low price.

What if I lose my key?

Most services to allow you to set up a recovery mechanism in case you lose your security key, but it is highly recommended that you have a minimum of two keys, authenticate all these keys you have with all the services you use. That way you have a backup key in case your main key is lost, stolen, or damaged.

Do YubiKeys have a battery or need recharging?

No, they draw their power from the USB port and there’s no battery to charge or replace.

How robust are YubiKeys?

Very. They are crushproof, waterproof, and impact resistant. I’ve carried YubiKeys on my keyring for years and not had a problem. That said, they’re no indestructible, so don’t go deliberately abusing them. More

Owners and operators of US critical infrastructure will now in some cases be legally required to report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).  The bipartisan provision was passed by the US Senate as part of the $1.5 trillion FY 2022 funding bill with language matching the related Strengthening American Cybersecurity Act, which unanimously passed Senate earlier this month and requires critical infrastructure operators and owners to report substantial cyberattacks, like ransomware, to CISA within 72 hours and within 24 hours of making a ransomware payment.It aims to give the US government, through CISA, greater visibility into the current threat landscape facing US private and public sector organizations. CISA was granted $2.6 billion under the funding bill, or $568 million more than last year to bolster the security of American networks.   The authors of the bill and funding provision, senators Rob Portman (R-OH) and Gary Peters (D-MI), said it was urgently need to counter potential cyberattacks sponsored by the Russian government in retaliation for U.S. support in Ukraine. “This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” said Senator Peters. “Our provision will also ensure that CISA – our lead cybersecurity agency – has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations.” CISA can also subpoena operators that fail to report incidents or ransomware payments. Failing to comply with the subpoena can be referred to the Justice Department and could result in a ban on contracting with the federal government.  Reporting ransomware payments within 24 hours to CISA is required for nonprofits, businesses with more than 50 employees, and state and local governments. The bill was introduced in September in the wake of Colonial Pipeline’s week-long outage after suffering a major ransomware attack and a similar attack on meat processor JBS. Colonial paid around $4 million in cryptocurrency to the attackers.  The provision requires that CISA launch a program to warn organizations of vulnerabilities that ransomware actors exploit. It directs the CISA director, Jen Easterly, to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.The FBI has campaigned against mandatory reporting to CISA, Associated Press reports. “We want one call to be a call to us all,” FBI Director Christopher Wray said last week. “What’s needed is not a whole bunch of different reporting but real-time access by all the people who need to have it to the same report.” He also raised concerns about liability coverage that organizations have when reporting to CISA but not the FBI. CISA’s Easterly said the cyber incident reporting legislation and funding provision was a “game changer”. “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” said Easterly. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.” More

A choice of office-based, hybrid or remote work, a human resources team with a strict hiring process, performance reviews, career progression and bonuses – it all sounds like the standard set up at any software development team. But these aren’t the working conditions at a software company, but instead at Conti, a major ransomware group responsible for a string of high-profile incidents around the world, including cyber attacks which have disrupted businesses, hospitals, government agencies and more. Last month, Conti, which many cybersecurity experts believes operate out of Russia, came out in support of the Russian invasion of Ukraine. This annoyed someone who then leaked months of Conti’s internal chat logs, providing inside information on the day-to-day operations of one of the most prolific ransomware operations on the planet. And while Conti’s actions – hacking into networks, encrypting files and demanding ransom payments of millions for a decryption key – could have a dramatic impact on the organisations that fall victim, the leaks paint a relatively mundane picture of an organisation with coders, testers, system admistrations, HR personnel and other staff. The researchers were able to identify a range of different job roles across the organisation from the HR team responsible for making new hires, to the malware coders, testers, ‘crypters’ who work on code obfuscation, sysadmins who build the attack infrastructure as well as the gang’s offensive team who aim to turn a breach into a full capture of the targeted network – and the negotiation staff who try to make a deal with the victims.Many of those involved in Conti will become involved via advertisements on dark web underground forums, but some are approached using more traditional means, like Russian recruitment websites, head-hunting services and word of mouth. Like any other hiring process, the applicants will be interviewed in order to ensure they have the right skills and would be a good fit for the group. According to analysis of the leaks by cybersecurity researchers at Check Point, some people recruited by Conti aren’t even aware they’re working for an illegal operation, at least initially – the leaks suggest that some of those brought in for interviews are told they’re helping to develop software for penetration testers. One leaked chat reveals how one member of the Conti staff, who unlike almost every other member of the group mentions their real name, was confused about what the software they were working on actually did, and why the people he worked with tried to protect their identities so much.  SEE: Cybersecurity: Let’s get tactical (ZDNet special report)In this case, his manager tells the employee he’s helping to build the backend for analytics software. And this wasn’t a one off, there are many members of the Conti gang who seemingly don’t grasp how they’re involved in cyber crime. “There are dozens of employees that were hired via legitimate job processes and not via underground forums. It is tough to tell how many of them don’t understand at all what they are doing, but many of them for sure don’t understand the real scope of the operation and what exactly their employer is doing,” Sergey Shykevich, threat intelligence group manager at Check Point Software told ZDNet. Sometimes these initially-unwitting accomplices to cyber crime later discovered what they were helping to build. In these cases, the managers attempt to reassured their employees with the offer of a pay rise – many opted to stay, the lucrative nature of the work being more appealing than quitting to find another job.While many of the roles are purely online, Conti’s chat logs reveal that it isn’t unusual for members of the group to work from communal offices and workspaces in Russian cities. Once again, the chat logs reveal some of the day-to-day events and incidents that the employees face – for example, someone sent messages asking their colleagues to let them in because a door was jammed from the outside.The leaks have provided cybersecurity researchers with valuable insight into how one of the world’s most notorious ransomware operations works, as well as the tools and techniques it uses to extort ransoms out of victims. But despite the embarrassment for a ransomware operation of having so much internal data leaked – especially given how a key tactic of Conti is to threaten to publish stolen data if their victims don’t pay the ransom – it’s unlikely to be the end of the group, which is still publishing information on new victims. SEE: A winning strategy for cybersecurity (ZDNet special report)Some employees may leave, but even for those who unwittingly signed up to cyber crime, the lure of reliable income could still be enough to encourage them to stay – especially as sanctions against Russia could potentially restrict their employment opportunities. “I don’t see any scenario that they will stop with the cyber crime activity completely,” said Shykevich  “The availability of potential positions in the legitimate tech sector in Russia for developers and pen testers have become much lower, so I think even the unwitting employees that now understand what they are doing, will move to cyber crime, as it will be difficult for them to find a legit job,” he added. Ransomware remains a major cybersecurity threat which can cause a huge amount of disruption to organisations of all kinds. The best way to defend against ransomware is to ensure that the network is as protected from cyber attacks as possible, with appropriate levels of security, including the use of multi-factor authentication across the network. It’s also vital for organisations to apply security updates and patches for known software vulnerabilities as soon as possible, as these, along with weak usernames and passwords, are some of the key entry points exploited to help launch ransomware attacks.MORE ON CYBERSECURITY More

Denso has confirmed a cyberattack impacting the firm’s German operations. 

The company is a global supplier of automotive components, including those developed for autonomous vehicle features, connectivity, and mobility services. Denso says that its technologies are used in “almost all vehicles around the globe.” Clients include Toyota, Honda, General Motors, and Ford. Consolidated revenue in the 2020-2021 fiscal year was reported as $44.6 billion. On March 14, Denso said that four days prior, a third party had “illegally accessed” the firm’s network. When the intrusion was detected, the automotive giant cut off the connection.  While the incident is under investigation, Denso says that there is “no impact” on other facilities and no disruption has been caused to production plants or manufacturing schedules.  Local authorities have been informed and the company has pulled in cyberforensic experts to assist.  “Denso would like to express its sincerest apologies for any concern or inconvenience resulting from this incident,” Denso said. “Denso Group will once again strengthen security measures and work to prevent a recurrence.” It appears that the Pandora ransomware group has claimed responsibility. The group’s leak site, accessed by ZDNet via Kela’s Darkbeast engine, claims that 1.4TB of data has been stolen.  Leak sites are used to pile on the pressure for victims to pay up after a ransomware attack. Cybercriminals infiltrate a corporate network, steal data, and then encrypt a system — and if demanding payment for decryption does not work, they may then threaten to leak stolen information online.  In this case, the leak site appears to show samples of the stolen datasets, including a purchase order, a technical component document, and a sales file. (ZDNet has redacted information contained in the document.)
ZDNet
ZDNet has reached out to Denso with additional queries and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ukraine is reportedly using Clearview AI technologies to track “people of interest” during the Russian invasion.  

Ukraine Crisis

On March 13, Reuters reported that the Ministry of Defence of Ukraine had adopted the firm’s facial recognition engine. Clearview CEO Hoan Ton-That offered the US company’s assistance to Kyiv, and according to the news outlet, the AI tech is being used to “potentially vet people of interest at checkpoints, among other uses,” for free. The startup has not offered the same to Russia, of which President Putin calls the war a “special military operation.” Clearview offers facial recognition technologies to law enforcement for criminal investigations. The US Patent and Trademark Office (USPTO) awarded the company a patent in January for using publicly-available data — including mugshots, social media profiles, and news sites — to match “similar photos using its proprietary facial recognition algorithm.” See also: Ethics of AI: Benefits and risks of artificial intelligenceOver two billion photos have been grabbed from VKontakte, a Russian social network, but over 10 billion are reportedly available for use.  As well as flagging Russian individuals of interest to authorities, it is possible that the Clearview AI search engine could be used to identify misinformation and propaganda online, to identify refugees and family connections, or potentially as a means to try and identify fatalities.  However, no AI algorithm is perfect, and either uncontrolled use or abuse could also result in misidentification or false arrests.  Reuters reports that other Ukrainian government departments will deploy Clearview technologies in the near future. Training is being provided in the use of the technology.According to Ukraine’s economic ministry, the invasion has caused at least $120 billion in damages to the country’s infrastructure.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More