Information Technology

Businesses are reluctant to admit cybersecurity weaknesses because they fear reputational damage – but by choosing to hide their heads in the sand and ignore security vulnerabilities, they risking more significant damage to their brand if they do get hacked.Analysis by cybersecurity and bug bounty company HackerOne suggests that almost two-thirds of organisations maintain a culture of cybersecurity through obscurity, hoping that weaknesses and vulnerabilities will remain undetected or simply won’t causes issues. 

ZDNet Recommends

But by choosing to ignore vulnerabilities, organisations are leaving themselves open to cyberattacks and other security issues.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Unpatched security vulnerabilities are one of the most common weaknesses exploited by cyber criminals to successfully hack networks and software. Even patches for critical vulnerabilities are not applied by many, sometimes for years, giving hackers an easy way in for as long as the updates haven’t been rolled out.Many organisations aren’t taking security seriously because boardrooms view it as a hindrance – according to the research, two-thirds of security professionals have been told that taking care of cybersecurity is viewed as stifling to innovation. However, if employees aren’t aware of cybersecurity risks and don’t have appropriate measures put in place to maintain security, there’s the risk they could circumvent best cybersecurity practices.For example, if employees think that having to log in to enterprise software suites and use the approved collaboration tools is less effective and more time consuming than using a personal email address for sharing sensitive information, they could inadvertently expose sensitive data.Almost two-thirds of cybersecurity professionals surveyed say that their organisation has suffered a security breach as a result of staff side-stepping cybersecurity measures, while just a quarter said they’re very confident that staff are following cybersecurity best practices. The report also warns that developers are often pressured to release insecure products, putting organisations that use potentially vulnerable software at risk of being compromised. According to HackerOne, it’s vital for organisations to commit to more transparency around cybersecurity. “Security could be the difference between winning business and losing it,” Marten Mickos, CEO of HackerOne, told ZDNet. Even if organisations do fall victim to a cyberattack, being transparent about what happened can help improve the reputation of the company. Mickos cites Norsk Hydro, which fell victim to a ransomware attack and was transparent about the entire recovery process as an example of this situation. “The organisation took the responsibility to ensure frequent and candid communications with customers and the wider public, to keep everyone updated on how events were unfolding,” he said. “Not only did Norsk Hydro maintain customer trust by being transparent about what was happening, the organisation also had the power of exposing key information on the tactics being used by cyber criminals, which is beneficial to the wider industry and other organisations facing growing cyber risks,” Mickos added. MORE ON CYBERSECURITY More

Digital identity is a crowded marketplace, but Veriff believes its AI tech sets it apart.
Image: Veriff
In late January 2022, Estonia gained its sixth tech unicorn after identity verification startup Veriff raised $100 million in Series C fundingVeriff is an AI-assisted identity verification and know your customer (KYC) platform used by companies around the world to ensure their customers are who they claim to be.

Innovation

Most of the company’s biggest customers are in global fintech, where it faces competition from the likes of authentication and verification services Jumio and Fido.SEE: What is digital transformation? Everything you need to know about how technology is reshaping businessToday, Veriff is valued at $1.5 billion, joining the ranks of Skype, Playtech, Wise, Pipedrive and Bolt in Estonia’s ever-growing lineup of tech startup darlings.”It’s great that it’s done, but we cannot rest on our laurels,” Veriff founder and CEO, Kaarel Kotkas, tells ZDNet. “We have a lot of work ahead.”Kotkas is only 27, but his interest in tech and entrepreneurial tendencies stretches back more than a decade.He began experimenting with web and verification technologies while still in high school, eventually capturing the attention of billion-dollar fintech company Wise (then called TransferWise), who wanted his help testing their security systems with false IDs.In 2015, after his short stint at TransferWise came to an end, Kotkas got to work founding his own company. Three years later, Veriff has set its sights on becoming a household name in the global identity verification market In an already crowded ID ecosystem, Veriff prides itself on the sophistication and accuracy of its authentication engine: a key concern in an age of ever-more convincing, AI-generated fakes.”In the financial sector, the identity verification process has traditionally been based on three photos the user has to send: a photo of the user’s face, and photos of both sides of their document, be it a passport or some other ID,” says Kotkas. “But in the age of deepfakes, it’s quite cheap and easy to manipulate those photos.”To make fraud more difficult (and more expensive) for fraudsters, Veriff’s platform relies on video capture rather than still images to verify users’ identities. It cross-references these images with the user’s identification document (Veriff supports up to 10,000 ID types) and then combines this with additional data points to ensure that a real person is standing in front of the camera, and that they are who they claim to be.SEE: Best identity theft protection & monitoring service 2021Kotkas says that, in the right conditions, just five seconds of video footage can provide 300 frames for Veriff’s platform to analyze. In total, Veriff’s authentication technology uses more than 1,000 data points when making verification decisions, with Kotkas noting that the more data points the platform can analyze, the more accurate its system is, enabling the company to eliminate the subjective human involvement from the verification process.”We have all sorts of other data, like device data, video data [and] behavioral data, which help us to understand whether it’s a real person live in front of the camera,” he explains. Veriff aims to use the sizable funds it raised in January for hiring and R&D. Three years ago, the company had 200 employees and one lone salesperson. Today, the company has more than 400 employees in Estonia, the UK, Spain, and the US, and has plans to grow this further.Within R&D, Veriff will invest in improving the technical accuracy of the verification process further. Kotkas estimates that there are some 10,000 different devices and over 10,000 types of identification documents worldwide that can be used for identity verification, and Veriff wants to be able to use all of them with sufficient accuracy. Veriff isn’t just targeting fintech, either: the company sees several sectors where identity verification will prove critical, which it plans to go after.”We see a lot of new use cases, account recovery for example,” says Kotkas. “For 20 years, the traditional way to do it has been by providing a phone number or an email address. But it’s clear that today, it’s not the safest option to protect your account. There are so many new companies who have to look for account recovery options, meaning that we have now a wider segment of customers.”Even so, Kotkas recognizes that growing Veriff’s reputation relies heavily on the trust and recognition it is able to gain in global markets, as well as within households.”It’s like in e-commerce: no one wants to enter their credit card number on a random website, but if they know that the payment process is provided by PayPal, Adyen or Stripe, they trust it. This is what we want to achieve with Veriff as well,” he says.”If they see that it’s Veriff that provides the identity verification solution and protects their data, they will trust it, the process is smoother and then everybody is happy.”SEE: Proving who you are online is still a mess. And it’s not getting betterThere is a lot of talk about decentralization in technology, but Kotkas is adamant that this won’t affect identity verification – there needs to be a trusted authority to provide verification of identities, after all.Today, this central role is held by the governments of the world, though Kotkas believes that, in the long run, private companies such as Veriff will offer a more efficient replacement.”Maybe it’s not the state who has to solve the question of digital identity, as it’s not easy for them to keep up with the rapid developments of the internet and fraud. I think it’s easier for the state to audit three companies with whom they can cooperate when verifying data, rather than to build a layer for millions of companies themselves.”In the meantime, Veriff is focused on building its network of customers and moving towards a future where the company’s platform can operate as a single sign-on solution for their services in the metaverse, which Kotkas hopes will make the still-untamed world of virtual reality a little safer for consumers.But in the long term, Veriff’s main focus will remain on the identity verification space. “There is a strong need for it in both taking the traditional offline services such as notarized contracts or exams online, and when launching completely new services,” says Kotkas.”If we don’t solve the problem of identity verification, the growth of these services will quickly hit a glass ceiling.”

ZDNet Recommends More

Latin American e-commerce company Mercado Libre had its systems hacked in an incident that exposed information related to 300,000 users of the platform.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The NASDAQ-listed company disclosed the incident in an 8-K filing to the US Securities and Exchange Commission, noting that part of its source code had been subject to unauthorized access, exposing user data. The report did not specify when the incident took place, but the firm said it has activated its security protocols and is “conducting an exhaustive analysis”. The company did not provide details about where exactly in Latin America the issue originated. Present in most Latin countries, Mercado Libre is the region’s largest e-commerce and payments firm. The firm stressed that even though hundreds of thousands of users had been exposed, out of its base of nearly 140 million unique active users — which represents 0,2% of the total client base — critical data, including payment details, have not been accessed. Also: Manufacturing is the most targeted sector by ransomware in Brazil”According to our initial analysis, we have not found any evidence that our infrastructure systems have been compromised or that any users’ passwords, account balances, investments, financial information or credit card information were obtained”, the company said in the SEC filing, adding that it is taking “strict measures to prevent further incidents.”The Mercado Libre hack follows another major incident at Americanas.com. Malicious actors targeted this major Brazilian e-commerce retailer on February 19 in two attacks that rendered systems unavailable for days. Without providing details, the company later released a statement to its shareholders that it hadn’t found any evidence that its databases were compromised.Cyberattacks have been on the rise in Latin America. According to an IBM report on security threats, the region saw a 4% increase in cyberattacks in 2021 compared to the previous year. The research suggests that Brazil, Mexico and Peru were the most attacked countries in the region last year.As threats increase, investment in security is also on the rise: analyst firm IDC estimates that overall security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020. Of that total, spending on security solutions will reach $860 million, the analyst said, with cloud security becoming a key area of focus for Brazilian IT decision-makers. More

Yaroslav Vasinskyi, accused of being connected to the Sodinokibi/REvil ransomware group, was extradited and arraigned in a Dallas, Texas court on Wednesday. In November, the Justice Department said the 22-year-old was behind the July 2021 ransomware attack against Kaseya, which crippled hundreds of companies around the world for days. 

CyberScoop reported in November that Vasinskyi was arrested at a border crossing in Dorohusk — a Polish-Ukrainian border town — on October 8. Vasinskyi made his first appearance and was arraigned today in the Northern District of Texas.”When last year I announced charges against members of the Sodinokibi/REvil ransomware group, I made clear that the Justice Department will spare no resource in identifying and bringing to justice transnational cybercriminals who target the American people,” said Attorney General Merrick Garland. “Just eight months after committing his alleged ransomware attack on Kaseya from overseas, this defendant has arrived in a Dallas courtroom to face justice,” said Deputy Attorney General Lisa Monaco. The DOJ said Vasinskyi was brought to Dallas on March 3.According to an indictment from August, Vasinskyi was responsible for the attack on Kaseya as well as several other companies. REvil was also accused of being responsible for the ransomware attack against food supplier JBS, which paid $11 million in Bitcoin to the attackers in exchange for the key required to decrypt the network. Garland said in November that Vasinskyi — who went by the name “Rabotnik” online — was one of the masterminds behind the REvil ransomware. The indictment shared by the DOJ said Vasinskyi has been part of the REvil ransomware gang since at least 2019 and has launched at least 2,500 attacks. 

The DOJ said he made $2.3 million from ransoms after demanding a total of more than $760 million.He has been charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. He is facing a total of 115 years in prison if convicted of all counts. News of Vasinskyi’s arrest in November was paired with the seizure of $6.1 million in funds traceable to alleged ransom payments received by 28-year-old Russian national Yevgeniy Polyanin. Polyanin was also charged for his involvement with Sodinokibi/REvil.”The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin, and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, US government, and especially our private sector partners,” FBI Director Christopher Wray said at the time. “The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil.”Law enforcement officials from multiple countries were involved in disrupting the REvil ransomware gang, which went dark for the second time in October. Suspected members of the group were also detained following raids by Russia’s Federal Security Service (FSB) in January. According to the US Department of Justice, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group allegedly brought in at least $200 million from ransoms. More

Crowdstrike published its fourth-quarter financial results on Wednesday, beating market estimates with solid growth from subscription customers. Crowdstrike’s total Q4 revenue was $431 million, a 63% increase over a year prior. Non-GAAP net income came to $70.4 million or 30 cents per share. 

The cybersecurity company added 1,638 net new subscription customers in the quarter for a total of 16,325 subscription customers as of January 31. That represents 65% year-over-year growth. Subscription revenue was $405.4 million, a 66% increase. Analysts were expecting earnings of 20 cents per share on revenue of $412.3 million. Crowdstrike’s annual recurring revenue (ARR) increased 65% year-over-year and grew to $1.73 billion as of of January 31. Of that, $216.9 million was net new ARR added in the quarter. For the full year, revenue was $1.45 billion, a 66% increase, while non-GAAP net income was $160.7 million. “Net new ARR of $217 million in the quarter was a new all-time high, driven by expansion of our leadership in the core endpoint market as well as a record quarter for cloud, identity protection, and Humio,” said George Kurtz, CrowdStrike’s co-founder and chief executive officer.”As our record results, growing scale, and module adoption rates demonstrate, customers are increasingly leveraging the breadth and depth of the Falcon platform as they look to transform their security stack.”In addition to adding a record number of net new subscribers in the quarter, Crowdstrike reported solid growth in the portion of subscribers adopting multiple modules. CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules, and six or more modules increased to 69%, 57%, and 34%, respectively, as of January 31. For the first quarter, the company expects total revenue in the range of $458.9 million and $465.4 million. For the full year, the company predicts a revenue of $2.13 billion and and $2.16 million. 

Tech Earnings More

ServiceNow has published guidance for its customers related to Access Control List (ACL) misconfigurations after an AppOmni security report found that 70% of the instances they tested had the issue. 

Enterprise Software

In a report released on Wednesday, AppOmni explained that the common misconfigurations come from a “combination of customer-managed ServiceNow ACL configurations and overprovisioning of permissions to guest users.”A ServiceNow spokesperson told ZDNet that this is a “well-known” issue that happens when end users do not apply recommended configuration and governance controls to their SaaS platforms. “ServiceNow regularly publishes security configuration and best practice guidance to help our customers. We recommend that customers continuously monitor their security settings and user permissions to ensure that their instances are configured as intended, with an emphasis on permission levels for external users,” the spokesperson said. AppOmni said many major SaaS platforms have this issue because of how complex they are and noted that misconfigurations can happen during the initial implementation phase of a SaaS platform when users or settings change or as part of the regular cadence of SaaS updates that can impact current configurations.AppOmni CEO Brendan O’Connor said securing SaaS is a lot more complicated than just checking a handful of settings or enabling strong authentication for users.”SaaS platforms have become business operating systems because they are so flexible and powerful. There are many valid reasons for workloads and applications running on a SaaS platform to communicate externally, such as to integrate with emails and text messages or host a support portal for your customers,” O’Connor said.  “SaaS adoption skyrocketed during the pandemic, but unfortunately, investments in people, processes, and technology to secure and monitor SaaS has not kept up. In AppOmni’s experience, significant data exposures like this are far more common than customers realize.”Many companies use Role-Based Access Control (RBAC) as a way to grant permissions for users to access resources on a SaaS platform, and the challenge, according to AppOmni, is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users. AppOmni Offensive Security Researcher Aaron Costello said ServiceNow external interfaces exposed to the public could allow a malicious actor to extract data from records.”The high degree of flexibility in modern SaaS platforms has made misconfiguration one of the largest security risks businesses currently face,” said Brian Soby, CTO of AppOmni.”Our goal is to shed light on common misconfigurations and other potential risks in SaaS platforms so users can ensure their system posture and configuration matches their business intent.” More

There’s been a surge in mobile malware attacks as cyber criminals ramp up their attempts to deliver malicious text messages and applications to users in order to steal sensitive information including passwords and bank details. Cybersecurity researchers at Proofpoint say they detected a 500% jump in attempted mobile malware attacks during the first few months of 2022, with significant peaks at the beginning and end of February. 

ZDNet Recommends

The main aim of a substantial proportion of mobile malware is to steal usernames and passwords for email or bank accounts, but many forms of mobile malware are also equipped with invasive snooping capabilities to record audio and video, track your location, or even wipe your content and data. As mobile malware evolves, more attacks are employing these advanced capabilities. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Both Apple and Android smartphones are targets for cyber criminals, but researchers note that the more open nature of the Android marketplace and the ability to download apps from third-party app stores makes devices using Google’s operating system more vulnerable to being compromised. Users of both Apple and Android smartphones can also find themselves the victim of SMS phishing (smishing) attacks, which sees text messages sent to users containing links designed to trick them into entering their bank details or login credentials into a fake website for cyber criminals to see and steal. Common lures include fake missed delivery notifications and fake alerts related to the COVID-19 pandemic. One of the most notorious forms of mobile malware is FluBot, which has been active since November 2020 and is designed to steal usernames and passwords from banks and other sites the user visits.  What makes FluBot so potent is that it’s also equipped with a worm-like ability to spread itself by accessing the infected user’s address book and sending SMS messages to their friends. It’s this ability to virtually spread itself which is why it’s been dubbed FluBot. Another form of mobile malware causing problems for smartphone users is TangleBot. Described as “powerful but elusive,” TangleBot first appeared in 2021 and is delivered mainly via fake package-delivery notifications. In addition to being able to steal sensitive information and control devices, TangleBot can overlay other mobile apps and intercept camera footage and audio recordings. Other mobile threats detailed by Proofpoint include Moghau, which is SMS-based malware that deploys multi-lingual attacks to target users around the world with fake landing pages based on their country and which is designed to trick victims into downloading trojan malware. Meanwhile, TianySpy is malware that infects both Apple and Android users by spreading via messages that claim to come from the victim’s mobile network operator. While the number of detected mobile attacks has declined since the surge last month, mobile malware is still a threat to users – but researchers warn that many people aren’t aware of the potential danger posed by phishing or malware attacks targeting smartphones. SEE: How Russia’s invasion of Ukraine threatens the IT industryResearchers recommend that users should be wary of any unexpected or unrequested messages containing links or requests for data. “Consumers need to be very skeptical of mobile messages that come from unknown sources. And it’s important to never click on links in text messages, no matter how realistic they look. If you want to contact the purported vendor sending you a link, do so directly through their website and always manually enter the web address/URL,” said Jacinta Tobin, vice president of Cloudmark operations for Proofpoint. “It’s also vital that you don’t respond to strange texts or texts from unknown sources. Doing so will often confirm you’re a real person to future scammers,” she added. Advice from the National Cyber Security Centre says users who receive a suspected malicious text message shouldn’t click the link or install any apps if prompted. Instead, they’re urged to forward the message to 7726, a free spam-reporting service provided by phone operators – then to delete the message.  MORE ON CYBERSECURITY More

Image: Armis
Security researchers at Armis have detailed a trio of vulnerabilities in so-called Smart-UPS devices sold by Schneider Electric subsidiary APC that allow for unnoticeable remote code execution, replacing of firmware, and potentially burning out the entire unit. Naturally in 2022, the flaws in the system stem from a combination of bad TLS implementation and being able to be controlled through a cloud-based system in newer devices. “Since the TLS attack vector can originate from the internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall,” Armis said. “They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.” If a TLS connection has an error, rather than closing the connection as recommended by Mocana nanoSSL library writers, APC ignores some of the errors, which leaves the connection open and the library in a state it is not built to handle. “Ignoring the nanoSSL library errors causes the UPS to cache the TLS key in its uninitialized state,” Arris said. “When an attacker uses the TLS resumption functionality, the uninitialized key (all zero) is fetched from the cache and the attacker can communicate with the device as if it was a genuine Schneider Electric server. As a seemingly verified server, the attacker can issue a firmware upgrade command and remotely execute code over the UPS device.” Additionally, all Smart-UPS devices use the same symmetric key for encryption and decryption, and it can be extracted from the devices. As a bonus, the devices do not check if any firmware is signed, allowing attackers to remain persistently on the device. In the words of the Bloodhound Gang: We don’t need no water.
Image: Armis
On the extreme physical end of the equation, replacing the firmware allows an attacker bypass software-based physical protections, such as a short circuit alert turning off the UPS. “By using our RCE vulnerability we were able to bypass the software protection and let the current spike periods run over and over until the DC link capacitor heated up to ~150 degrees celsius (~300F), which caused the capacitor to burst and brick the UPS in a cloud of electrolyte gas, causing collateral damage to the device,” the researchers state in a white paper [PDF]. “The exploitation risk is no longer limited to the IT world — an attacker can turn the UPS to a physical weapon. From a cyber security point of view, these kinds of systems must be handled as a flammable substance that sits in the heart of an organization.” Armis recommends users install the patches from Schneider Electric, and use access control lists to restrict and encrypt communications with the UPS to management devices and Schneider Electric Cloud. If the device has a network management card, Armis recommends changing the default password from “apc” to something else, and installing a publicly-signed certificate to prevent password sniffing. The security company said it believes 80% of organisations are vulnerable, with healthcare organisations hitting over 92% with a vulnerable device and retail just behind on 89%. Updated at 3:52pm AEST, 9 March 2022: Clarified technical information. Related Coverage More